diff --git a/.sops.yaml b/.sops.yaml index fbf069b..32e904d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -5,9 +5,10 @@ keys: - &dominik age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d - &dominik2 age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch - - &tuxedo age17c4swm58zt07axl5u6kkxrwtr5haqkvu4ye4t98qdph98qdclgtq2cyzkq - &git-server age106n5n3rrrss45eqqzz8pq90la3kqdtnw63uw0sfa2mahk5xpe30sxs5x58 - &web-01-server age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42 + - &web-02 age1gjm4c3swt8u88e36gf2qlg3syxfc0ly94u64c42f2tsf24npw4csa6e4fw + - &web-arm age136s4znrmkheztq6mps46dj5z4avy2umzz3the58fqtlsksvx5skq9ljqgk - &home-assistant-server age1ezq2j34qngky22enhnslx6hzh4ekwk8dtmn6c9us0uqxqpn7hgpsspjz58 - &ldap-server-test age1azmxsw5llmp2nnsv3yc2l8paelmq9rfepxd8jvmswgsmax0qyyxqdnsc7t - &testmodules age1zkzpnfeakyvg3fqtyay32sushjx2hqe28y6hs6ss7plemzqjqa5s6s5yu3 @@ -36,12 +37,22 @@ creation_rules: - *dominik - *dominik2 - *fw + - path_regex: hosts/fw.cloonar.com/modules/web/[^/]+\.yaml$ + key_groups: + - age: + - *dominik + - *web-02 - path_regex: hosts/web-01.cloonar.com/[^/]+\.yaml$ key_groups: - age: - *dominik - *dominik2 - *web-01-server + - path_regex: hosts/web-arm/[^/]+\.yaml$ + key_groups: + - age: + - *dominik + - *web-arm - path_regex: hosts/mail.cloonar.com/[^/]+\.yaml$ key_groups: - age: @@ -56,6 +67,7 @@ creation_rules: - *dominik2 - *git-server - *web-01-server + - *web-02 - *home-assistant-server - *ldap-server-arm - *ldap-server-test diff --git a/fleet.nix b/fleet.nix index 19b7b5e..7f7ef11 100644 --- a/fleet.nix +++ b/fleet.nix @@ -23,6 +23,10 @@ username = "web-01.cloonar.com"; key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCl7cvUGMmtpVfJ3PB4Rco7V8z83nivst77SgBn+Z3cHgcDJDu9l3L4Q6rv9b6thmEX+Xf0ri6UwDI8UuJro4F9qpCXsTkHres3f/pDZokgfO7bvU2l7ujq6NnAx0qJWdB6oku36x3t2wBnvkDijXLtGPeQbd6c33hECEwA7QszvoBbGi0yFiGsqR5W7o0kiju/LMzCkExeaspFV6DBtEW0qZVMYx+lBIK5Hi/g3vBjbhFdWGz8T2AITcAnGI9n6f+dg3dlMPEHXnF9KRod1EVDnYMxbEp49i98m65F1xAFwOo35WSg48LlV1PK1VusboE3pHgE2VEFmW1J+PVQZ+z0JAaRBv/wSVN0YzuCLfLtUr10K1W23YbT1UVm7FusKpT1KElZ9adfbk6SXVhXnru40VcwqgYfw7naQJzT8aDI9Tnci+z4xCCxrdUF/psDBPD5sfjMPbjdPbt6Jnx1H9ZodiC/sQUtbn6MMbenMSf/AmuUC9xzpXlqCtPmN1dSC+8= root@web-01"; } + { + username = "web-arm"; + key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzJRWe8hsqAVnGSjPrcheloteWMzORoQ5Gj4IfhCROF"; + } { username = "mail.cloonar.com"; key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCfEuRazRv8zKWJSq+T3SssgOrkBFu6y/t6uoMNrD3P9WHowRDejo2rBsWFgPszhfgxLpWHiuSZFMG8z+07k5fVTdmbUwx0vXI1lmQ7AxB/CPwBef2Vpb7b8Rq6geejvP8X6UjQWP0rsCMtoX2SeBDTG8bDlyq1U3vYxVY4hery6a9Wu57OI5VbSIHhqQvExo7euz8V7ORsLyT8gi9x3r8gNaKJmvssB6QXXZ7U2sJaAUjhV/BmrZJD5qR9EwqwiMPJ2+SkZ0Vz6CFG6GLyB/ngXPEfclLKK7AzookJy7WepqojjFTzmOBMH903oR+MIpjDECKxgaFtW4xY0A/tj8ZDCBPtP8AKjediOASkAi7eUMPseQKDE0BNLSidC0hlQUe0aPaMeA8b1U86PblzpgF8ntkUPbxhO0AgHKq9fPN+f58f75fryNbhgPRRkeLet1q3hxguEMg2MIg/EqIw862YPWPtGRk0wJHwQU7jx+9BbjdptAVTJo/Cj9vM7mpZphE= root@mail"; diff --git a/hosts/fw.cloonar.com/configuration.nix b/hosts/fw.cloonar.com/configuration.nix index d1f79a5..d6239c7 100644 --- a/hosts/fw.cloonar.com/configuration.nix +++ b/hosts/fw.cloonar.com/configuration.nix @@ -25,9 +25,18 @@ ./modules/ddclient.nix ./modules/wol.nix + # microvm + ./modules/microvm.nix + ./modules/gitea-vm.nix + + # web + ./modules/web + # git ./modules/gitea.nix # ./modules/fwmetrics.nix + + ./modules/firefox-sync.nix # home assistant ./modules/home-assistant diff --git a/hosts/fw.cloonar.com/modules/dhcp4.nix b/hosts/fw.cloonar.com/modules/dhcp4.nix index 8a3a2f7..32aa302 100644 --- a/hosts/fw.cloonar.com/modules/dhcp4.nix +++ b/hosts/fw.cloonar.com/modules/dhcp4.nix @@ -77,6 +77,11 @@ ip-address = "10.42.97.2"; server-hostname = "omada.cloonar.com"; } + { + hw-address = "02:00:00:00:00:03"; + ip-address = "10.42.97.5"; + server-hostname = "web-02.cloonar.com"; + } { hw-address = "ea:db:d4:c1:18:ba"; ip-address = "10.42.97.50"; diff --git a/hosts/fw.cloonar.com/modules/firefox-sync.nix b/hosts/fw.cloonar.com/modules/firefox-sync.nix new file mode 100644 index 0000000..a2c493a --- /dev/null +++ b/hosts/fw.cloonar.com/modules/firefox-sync.nix @@ -0,0 +1,83 @@ +{ config, pkgs, ... }: +let + domain = "sync.cloonar.com"; +in { + sops.secrets.firefox-sync = { }; + + security.acme.certs."${domain}" = { + group = "nginx"; + }; + + containers."firefox-sync" = { + autoStart = true; + ephemeral = false; # because of ssh key + privateNetwork = true; + hostBridge = "server"; + hostAddress = "10.42.97.1"; + localAddress = "10.42.97.51/24"; + bindMounts = { + "/run/secrets/firefox-sync" = { + hostPath = "/run/secrets/firefox-sync"; + isReadOnly = true; + }; + "/var/lib/acme/${domain}/" = { + hostPath = "${config.security.acme.certs.${domain}.directory}"; + isReadOnly = true; + }; + }; + config = { lib, config, pkgs, ... }: { + networking = { + hostName = "firefox-sync"; + useHostResolvConf = false; + defaultGateway = { + address = "10.42.97.1"; + interface = "eth0"; + }; + firewall.enable = false; + nameservers = [ "10.42.97.1" ]; + }; + + services.nginx.enable = true; + services.nginx.virtualHosts."${domain}" = { + sslCertificate = "/var/lib/acme/${domain}/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/${domain}/key.pem"; + sslTrustedCertificate = "/var/lib/acme/${domain}/chain.pem"; + listen = [ + { + addr = "0.0.0.0"; + ssl = true; + port = 5000; + } + ]; + locations."/" = { + proxyPass = "http://localhost:5001/"; + recommendedProxySettings = true; + }; + }; + + services.mysql.package = pkgs.mariadb; + services.firefox-syncserver = { + enable = true; + singleNode = { + enable = true; + enableNginx = false; + hostname = domain; + }; + settings = { + port = 5001; + tokenserver.enable = true; + }; + secrets = "/run/secrets/firefox-sync"; + logLevel = "trace"; + }; + + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" + ]; + + system.stateVersion = "23.05"; + }; + }; +} diff --git a/hosts/fw.cloonar.com/modules/firewall.nix b/hosts/fw.cloonar.com/modules/firewall.nix index 7e2748b..b32c703 100644 --- a/hosts/fw.cloonar.com/modules/firewall.nix +++ b/hosts/fw.cloonar.com/modules/firewall.nix @@ -21,6 +21,7 @@ chain input { type filter hook input priority filter; policy drop; iifname "lo" accept comment "trusted interfaces" + iifname "lan" counter accept comment "Spice" ct state vmap { invalid : drop, established : accept, related : accept, new : jump input-allow, untracked : jump input-allow } tcp flags syn / fin,syn,rst,ack log prefix "refused connection: " level info } @@ -29,7 +30,8 @@ udp dport != { 53, 5353 } ct state new limit rate over 1/second burst 10 packets drop comment "rate limit for new connections" iifname lo accept iifname "wan" udp dport 51820 counter accept comment "Wireguard traffic" - iifname { "server", "vserver", "lan", "wg_cloonar" } counter accept comment "allow trusted to router" + iifname "lan" tcp dport 5931 counter accept comment "Spice" + iifname { "server", "vserver", "vm-*", "lan", "wg_cloonar" } counter accept comment "allow trusted to router" iifname { "multimedia", "smart", "infrastructure", "podman0" } udp dport { 53, 5353 } counter accept comment "DNS" iifname { "wan", "multimedia" } icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP" @@ -82,11 +84,12 @@ iifname "smart" oifname "server" ip daddr 10.42.97.20/32 tcp dport { 1883 } counter accept # Forward to git server - oifname "server" ip daddr 10.42.97.50 tcp dport { 22, 80, 443 } counter accept + oifname "server" ip daddr 10.42.97.50 tcp dport { 22 } counter accept + oifname "server" ip daddr 10.42.97.5 tcp dport { 80, 443 } counter accept # lan and vpn to any # TODO: disable wan when finished - iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar" } counter accept + iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "vm-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar" } counter accept iifname { "lan", "server", "wg_cloonar" } oifname { "wrwks", "wg_epicenter", "wg_ghetto_at" } counter accept iifname { "infrastructure" } oifname { "server", "vserver" } log prefix "Infrastructure connection: " accept iifname { "lan", "wan" } udp dport { 8211, 27015 } counter accept comment "palworld" @@ -97,6 +100,9 @@ oifname "server" ip daddr 10.42.97.201 tcp dport { 27020 } counter accept comment "ark survival evolved" oifname "server" ip daddr 10.42.97.201 udp dport { 7777, 7778, 27015 } counter accept comment "ark survival evolved" + # firefox-sync + oifname "server" ip daddr 10.42.97.51 tcp dport { 5000 } counter accept comment "firefox-sync" + # allow all established, related ct state { established, related } accept comment "Allow established traffic" @@ -112,6 +118,7 @@ "podman*", "guest", "vb-*", + "vm-*", } oifname { "wan", } counter accept comment "Allow trusted LAN to WAN" @@ -125,7 +132,9 @@ content = '' chain prerouting { type nat hook prerouting priority filter; policy accept; - iifname "wan" tcp dport { 22, 80, 443 } dnat to 10.42.97.50 + iifname "wan" tcp dport { 22 } dnat to 10.42.97.50 + iifname "wan" tcp dport { 80, 443 } dnat to 10.42.97.5 + iifname "wan" tcp dport { 5000 } dnat to 10.42.97.51 iifname { "wan", "lan" } udp dport { 7777, 7778, 27015 } dnat to 10.42.97.201 iifname { "wan", "lan" } tcp dport { 27020 } dnat to 10.42.97.201 } @@ -135,6 +144,7 @@ type nat hook postrouting priority filter; policy accept; oifname { "wan", "wg_cloonar", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.50 masquerade + iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.51 masquerade iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.201 masquerade } ''; diff --git a/hosts/fw.cloonar.com/modules/gitea-vm.nix b/hosts/fw.cloonar.com/modules/gitea-vm.nix new file mode 100644 index 0000000..80bdeae --- /dev/null +++ b/hosts/fw.cloonar.com/modules/gitea-vm.nix @@ -0,0 +1,169 @@ +{ nixpkgs, pkgs, ... }: let + hostname = "git-02"; + json = pkgs.formats.json { }; +in { + microvm.vms = { + gitea = { + config = { + microvm = { + hypervisor = "cloud-hypervisor"; + shares = [ + { + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "ro-store"; + proto = "virtiofs"; + } + { + source = "/var/lib/acme/git.cloonar.com"; + mountPoint = "/var/lib/acme/${hostname}.cloonar.com"; + tag = "ro-cert"; + proto = "virtiofs"; + } + ]; + interfaces = [ + { + type = "tap"; + id = "vm-${hostname}"; + mac = "02:00:00:00:00:01"; + } + ]; + }; + + imports = [ + ../fleet.nix + ]; + + environment.systemPackages = with pkgs; [ + vim # my preferred editor + ]; + + networking = { + hostName = hostname; + firewall = { + enable = true; + allowedTCPPorts = [ 22 80 443 ]; + }; + }; + + services.nginx.enable = true; + services.nginx.virtualHosts."${hostname}.cloonar.com" = { + sslCertificate = "/var/lib/acme/${hostname}.cloonar.com/fullchain.pem"; + sslCertificateKey = "/var/lib/acme/${hostname}.cloonar.com/key.pem"; + sslTrustedCertificate = "/var/lib/acme/${hostname}.cloonar.com/chain.pem"; + forceSSL = true; + locations."/" = { + proxyPass = "http://localhost:3001/"; + }; + }; + + services.gitea = { + enable = true; + appName = "Cloonar Gitea server"; # Give the site a name + settings = { + server = { + ROOT_URL = "https://${hostname}.cloonar.com/"; + HTTP_PORT = 3001; + DOMAIN = "${hostname}.cloonar.com"; + }; + openid = { + ENABLE_OPENID_SIGNIN = true; + ENABLE_OPENID_SIGNUP = true; + WHITELISTED_URIS = "auth.cloonar.com"; + }; + service = { + DISABLE_REGISTRATION = true; + ALLOW_ONLY_EXTERNAL_REGISTRATION = true; + SHOW_REGISTRATION_BUTTON = false; + }; + actions.ENABLED=true; + }; + }; + + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" + ]; + + system.stateVersion = "22.05"; + }; + }; + + gitea-runner = { + config = { + microvm = { + mem = 12288; + shares = [ + { + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "ro-store"; + proto = "virtiofs"; + } + { + source = "/run/secrets"; + mountPoint = "/run/secrets"; + tag = "ro-token"; + proto = "virtiofs"; + } + ]; + volumes = [ + { + image = "rootfs.img"; + mountPoint = "/"; + size = 102400; + } + ]; + interfaces = [ + { + type = "tap"; + id = "vm-gitea-runner"; + mac = "02:00:00:00:00:02"; + } + ]; + }; + + environment.systemPackages = with pkgs; [ + vim # my preferred editor + ]; + + networking.hostName = "gitea-runner"; + + virtualisation.podman.enable = true; + + services.gitea-actions-runner.instances.vm = { + enable = true; + url = "https://git.cloonar.com"; + name = "vm"; + tokenFile = "/run/secrets/gitea-runner-token"; + labels = [ + "ubuntu-latest:docker://shivammathur/node:latest" + ]; + settings = { + container = { + network = "podman"; + }; + }; + }; + + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" + ]; + + system.stateVersion = "22.05"; + }; + }; + }; + + sops.secrets.gitea-runner-token = {}; + + environment = { + systemPackages = [ + pkgs.qemu + pkgs.quickemu + ]; + }; +} diff --git a/hosts/fw.cloonar.com/modules/gitea.nix b/hosts/fw.cloonar.com/modules/gitea.nix index e0d8aa2..66c9e51 100644 --- a/hosts/fw.cloonar.com/modules/gitea.nix +++ b/hosts/fw.cloonar.com/modules/gitea.nix @@ -106,21 +106,5 @@ in }; }; - - sops.secrets.gitea-runner-token = { }; - - services.gitea-actions-runner.instances.main = { - enable = true; - url = "https://git.cloonar.com"; - name = "main"; - tokenFile = "/run/secrets/gitea-runner-token"; - labels = [ - "ubuntu-latest:docker://shivammathur/node:latest" - ]; - settings = { - container = { - network = "server"; - }; - }; - }; + sops.secrets.gitea-runner = {}; } diff --git a/hosts/fw.cloonar.com/modules/home-assistant/multimedia.nix b/hosts/fw.cloonar.com/modules/home-assistant/multimedia.nix index 2a50fb2..6392912 100644 --- a/hosts/fw.cloonar.com/modules/home-assistant/multimedia.nix +++ b/hosts/fw.cloonar.com/modules/home-assistant/multimedia.nix @@ -6,6 +6,19 @@ "samsungtv" ]; services.home-assistant.config = { + ios = { + actions = [ + { + name = "Home Cinema"; + label.text = "Home Cinema"; + icon = { + icon = "theater"; + color = "#ffffff"; + }; + show_in_watch = true; + } + ]; + }; binary_sensor = [ { name = "xbox"; @@ -290,13 +303,23 @@ ]; }; "automation multimedia scene switch" = { - trigger = { - platform = "event"; - event_type = "button_pressed"; - event_data = { - id = [ 254 235 105 198 ]; - }; - }; + alias = "multimedia scene switch"; + trigger = [ + { + platform = "event"; + event_type = "button_pressed"; + event_data = { + id = [ 254 235 105 198 ]; + }; + } + { + platform = "event"; + event_type = "ios.action_fired"; + event_data = { + actionName = "Home Cinema"; + }; + } + ]; condition = { condition = "state"; entity_id = "binary_sensor.multimedia_device_on"; @@ -308,9 +331,19 @@ { conditions = [ { - condition = "state"; - entity_id = "media_player.android_tv_metz_cloonar_multimedia"; - state = "on"; + condition = "or"; + conditions = [ + { + condition = "state"; + entity_id = "media_player.android_tv_metz_cloonar_multimedia"; + state = "on"; + } + { + condition = "state"; + entity_id = "media_player.android_tv_metz_cloonar_multimedia"; + state = "idle"; + } + ]; } ]; sequence = [ @@ -338,7 +371,7 @@ num_repeats = 1; delay_secs = 0.4; hold_secs = 0; - command = "b64:sgAQAhgMGAwZCwcdGQsHHQcdBx0ZCwcdGQsHHQcdGQsZCwcdGQwGHgYeGAwYDAYeBx0GHgcAARgZCxkMGAwGHhkLBh4HHQYeGQsHHRkLBx0GHhkLGQsHHhgMBh4GHhgMGAwGHgcdBh4GAAEZGQwYDBgMBx0YDAYeBx0GHhgMBx0ZCwcdBx0ZCxkMBh4YDAYeBh4YDBgMBh4GHgcdBgABGhgMGAwYDAYeGQsHHQYeBh4YDAYeGAwHHQcdGQwYDAYeGAwGHgYeGAwYDAYeBh4HHQcAARkYDBgMGAwGHhkLBx0HHQcdGQsHHRkMBh0HHRkMGAwGHhgMBh4HHRkLGAwHHQcdBx0HAAEZGAwZCxkLBx0ZDAYdBx0HHRkMBh0ZDAYeBh4YDBgMBh4ZCwcdBx0ZCxkMBh0HHQcdBwABGRkLGQwYDAYeGAwGHgYeBh0ZDAYeGAwHHQcdGQsZDAYdGQwGHQcdGQsZDAYdBx4GHgYAARkZDBgNFwwHHRkMBh0HHQcdGQsHHRkNBR8FHhgMGAwGHRkMBh4GHhkLGA0FHwYdBx4GAAEaGAsZDBgMBh8XDAYeBh4GHhg1EwwGHgcdGAwZDAYeGAwGHgYeGAsZDAYeBh4GHQcAARkZCxkMGAwGHhgMBh4GHgYeGQsHHRgMBx0HHRkLGQwGHhgMBh4GHhkLGQsHHQcdBx0HAAEZGQsYDRgPBAAF3AAAAAAAAAAA"; + command = "b64:sQs0AB0JCxsLGx0IHQgLGh0ICxoLGx0JCxodCQobCxoLAAEXHQgdCR0JCxodCQsbCxsLGx0JCxoAAAAA"; }; } { @@ -381,7 +414,7 @@ num_repeats = 1; delay_secs = 0.4; hold_secs = 0; - command = "b64:sQs0AB0JCxsLGx0IHQgLGh0ICxoLGx0JCxodCQobCxoLAAEXHQgdCR0JCxodCQsbCxsLGx0JCxoAAAAA"; + command = "b64:sgBqAgkaBBoJCRsJHBoKGgoJGgQaCQkaBAgbGwoIHAgcGwkJGwgAARkbCRsJGwkJGgQaCgkaBAgbCRsbCQkbGwkJGgQIGxwJGwkJGxsJCRwIHBoKCBsECBsbCAQIGwkAARgbChoKGgoJGxsJCRoECBsJHBsJCRoEGgkJGwkcGgobCQkbGwkJGwkbGwoIHAkbGwkJGwkAARgbCRsJGwoIGxwJCRsJGwkbGwoIGxwIChoKGhwJGwkJHBsJCRsJGxsJCRsJHBsJCRsJAAEYGwkbCRsKCBscCQkbCRsJGxsJCRwbCQkbCRsbCRsJCRscCQgcCRocCQkbCRsbCQobCQABGBsJGwkbCQkbHAkJGwkbCRsbCQkbGwoJGwkbGwkbCQkbGwoIHAkbGwkJGgobGwkKGwkAARccCRsJGwkJHBsJCRsJGwkbGwkJGxsKCRsIHBsJGwkJGxsKCRoJGxwJCRsJGxsJChsIAAEZGwgcCRsJCRscCQkbCRsJGhwJCRscCQkaChsbCRsJCRscCQgcCRocCQkbCRsbCggcCQABGBsJGwkbCggcGwkJGwkbCRsbCggcGgoJGwkbGwkbCggcGwkJGwkbGwkJHAgcGwkJGwkAARgbChoKGgoJGhwJCRsJGwkcGgoJGxsJCRsJGxsJHAkJGxsJCRsJGhwJCRwJGhwJCRsJAAEYGwoaChsJCRsbCQkaChsJGxwJCRsbCQkbCRsbChsJCRsbCQkbCRsbCgkbCRsbCQkcCAABFwQaChsJGwkJGxsKCBwIHAgcGwkJGxsKCBwIGwQaCRsJCRwaCggcCBwbCQkbCRwaCggcCAAF3AAAAAAAAAAAAAAAAAAA"; }; } { diff --git a/hosts/fw.cloonar.com/modules/microvm.nix b/hosts/fw.cloonar.com/modules/microvm.nix new file mode 100644 index 0000000..30ee742 --- /dev/null +++ b/hosts/fw.cloonar.com/modules/microvm.nix @@ -0,0 +1,8 @@ +{ nixpkgs, ...}: +{ + imports = [ (builtins.fetchGit { + url = "https://github.com/astro/microvm.nix"; + } + "/nixos-modules/host") ]; + + systemd.network.networks."31-server".matchConfig.Name = [ "vm-*" ]; +} diff --git a/hosts/fw.cloonar.com/modules/networking.nix b/hosts/fw.cloonar.com/modules/networking.nix index 1ac4777..97658c7 100644 --- a/hosts/fw.cloonar.com/modules/networking.nix +++ b/hosts/fw.cloonar.com/modules/networking.nix @@ -7,6 +7,7 @@ }; systemd.network = { + enable = true; wait-online.anyInterface = true; links = { "10-wan" = { @@ -18,6 +19,19 @@ linkConfig.Name = "lan"; }; }; + netdevs = { + "30-server".netdevConfig = { + Kind = "bridge"; + Name = "server"; + }; + }; + networks = { + "31-server" = { + matchConfig.Name = [ "vserver" ]; + # Attach to the bridge that was configured above + networkConfig.Bridge = "server"; + }; + }; }; networking = { @@ -51,11 +65,11 @@ # interface = "vserver"; # mode = "bridge"; # }; - bridges = { - server = { - interfaces = [ "vserver" ]; - }; - }; + # bridges = { + # server = { + # interfaces = [ "vserver" ]; + # }; + # }; interfaces = { # Don't request DHCP on the physical interfaces diff --git a/hosts/fw.cloonar.com/modules/podman.nix b/hosts/fw.cloonar.com/modules/podman.nix index ad827cb..de4db21 100644 --- a/hosts/fw.cloonar.com/modules/podman.nix +++ b/hosts/fw.cloonar.com/modules/podman.nix @@ -19,15 +19,15 @@ let in { users.groups.podman.gid = cids.gids.podman; virtualisation = { - containers.containersConf.settings = { - containers.dns_servers = [ "10.42.97.1" ]; - }; + # containers.containersConf.settings = { + # containers.dns_servers = [ "10.42.97.1" ]; + # }; podman = { enable = true; dockerCompat = true; - defaultNetwork.settings = { - dns_enabled = true; # Enable DNS resolution in the podman network. - }; + # defaultNetwork.settings = { + # dns_enabled = true; # Enable DNS resolution in the podman network. + # }; }; }; diff --git a/hosts/fw.cloonar.com/modules/postgresql.nix b/hosts/fw.cloonar.com/modules/postgresql.nix new file mode 100644 index 0000000..3f3711d --- /dev/null +++ b/hosts/fw.cloonar.com/modules/postgresql.nix @@ -0,0 +1,20 @@ +{ config, pkgs, ... }: + +{ + services.postgresql = { + enable = true; + ensureDatabases = [ "mydatabase" ]; + + identMap = '' + # ArbitraryMapName systemUser DBUser + superuser_map root postgres + superuser_map postgres postgres + # Let other names login as themselves + superuser_map /^(.*)$ \1 + ''; + authentication = pkgs.lib.mkOverride 10 '' + #type database DBuser auth-method optional_ident_map + local sameuser all peer map=superuser_map + ''; + }; +}; diff --git a/hosts/fw.cloonar.com/modules/unbound.nix b/hosts/fw.cloonar.com/modules/unbound.nix index 370c3ca..204dde4 100644 --- a/hosts/fw.cloonar.com/modules/unbound.nix +++ b/hosts/fw.cloonar.com/modules/unbound.nix @@ -2,9 +2,30 @@ let cids = import ../modules/staticids.nix; domain = "ns.cloonar.com"; + + adblockLocalZones = pkgs.stdenv.mkDerivation { + name = "unbound-zones-adblock"; + + src = (pkgs.fetchFromGitHub { + owner = "StevenBlack"; + repo = "hosts"; + rev = "3.0.0"; + sha256 = "01g6pc9s1ah2w1cbf6bvi424762hkbpbgja9585a0w99cq0n6bxv"; + } + "/hosts"); + + phases = [ "installPhase" ]; + + installPhase = '' + ${pkgs.gawk}/bin/awk '{sub(/\r$/,"")} {sub(/^127\.0\.0\.1/,"0.0.0.0")} BEGIN { OFS = "" } NF == 2 && $1 == "0.0.0.0" { print "local-zone: \"", $2, "\" static"}' $src | tr '[:upper:]' '[:lower:]' | sort -u > $out + ''; + + }; cfg = { remote-control.control-enable = true; server = { + include = [ + "\"${adblockLocalZones}\"" + ]; interface = [ "0.0.0.0" "::0" ]; interface-automatic = "yes"; access-control = [ @@ -32,7 +53,10 @@ let "\"deconz.cloonar.com IN A 10.42.97.22\"" "\"snapcast.cloonar.com IN A 10.42.97.21\"" "\"home-assistant.cloonar.com IN A 10.42.97.20\"" + "\"web-02.cloonar.com IN A 10.42.97.5\"" + "\"support.cloonar.com IN A 10.42.97.5\"" "\"git.cloonar.com IN A 10.42.97.50\"" + "\"sync.cloonar.com IN A 10.42.97.51\"" "\"stage.wsw.at IN A 10.254.235.22\"" "\"prod.wsw.at IN A 10.254.217.23\"" @@ -71,6 +95,8 @@ let "\"upgrade-staging.wienwohntbesser.at IN A 10.254.240.110\"" "\"conf.wrwks.at IN A 10.254.240.105\"" + "\"web.hilgenberg-gmbh.de IN A 91.107.197.169\"" + "\"deconz.cloonar.multimedia IN A 10.42.97.22\"" "\"metz.cloonar.multimedia IN A 10.42.99.10\"" # "\"ps5.cloonar.multimedia IN A 10.42.99.12\"" @@ -216,6 +242,7 @@ in { group = "unbound"; }; + services.resolved.enable = false; services.unbound = { enable = true; diff --git a/hosts/fw.cloonar.com/modules/web/default.nix b/hosts/fw.cloonar.com/modules/web/default.nix new file mode 100644 index 0000000..2d46468 --- /dev/null +++ b/hosts/fw.cloonar.com/modules/web/default.nix @@ -0,0 +1,113 @@ +{ lib, nixpkgs, pkgs, ... }: let + hostname = "web-02"; + json = pkgs.formats.json { }; + impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz"; +in { + microvm.vms = { + web = { + config = { + microvm = { + mem = 4096; + # hypervisor = "cloud-hypervisor"; + shares = [ + { + source = "/nix/store"; + mountPoint = "/nix/.ro-store"; + tag = "ro-store"; + proto = "virtiofs"; + } + { + source = "/var/lib/microvms/persist/web-02"; + mountPoint = "/persist"; + tag = "persist"; + proto = "virtiofs"; + } + ]; + volumes = [ + { + image = "rootfs.img"; + mountPoint = "/"; + size = 102400; + } + ]; + interfaces = [ + { + type = "tap"; + id = "vm-${hostname}"; + mac = "02:00:00:00:00:03"; + } + ]; + }; + + imports = [ + "${impermanence}/nixos.nix" + ../../utils/modules/sops.nix + ../../utils/modules/lego/lego.nix + # ../../utils/modules/borgbackup.nix + + ./zammad.nix + ./proxies.nix + ]; + + time.timeZone = "Europe/Vienna"; + + systemd.network.networks."10-lan" = { + matchConfig.PermanentMACAddress = "02:00:00:00:00:03"; + address = [ "10.42.97.5/24" ]; + gateway = [ "10.42.97.1" ]; + dns = [ "10.42.97.1" ]; + }; + + fileSystems."/persist".neededForBoot = lib.mkForce true; + environment.persistence."/persist-local" = { + directories = [ + "/var/lib/zammad" + "/var/lib/postgresql" + "/var/log" + "/var/lib/systemd/coredump" + ]; + }; + + environment.systemPackages = with pkgs; [ + vim # my preferred editor + ]; + + networking.hostName = hostname; + + services.openssh = { + enable = true; + hostKeys = [ + { + path = "/persist/etc/ssh/ssh_host_ed25519_key"; + type = "ed25519"; + } + { + path = "/persist/etc/ssh/ssh_host_rsa_key"; + type = "rsa"; + bits = 4096; + } + ]; + }; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" + ]; + + # backups + # borgbackup.repo = "u149513-sub2@u149513-sub2.your-backup.de:borg"; + + + sops.age.sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ]; + sops.defaultSopsFile = ./secrets.yaml; + + networking.firewall = { + enable = true; + allowedTCPPorts = [ 22 80 443 ]; + }; + + + system.stateVersion = "22.05"; + }; + }; + }; +} diff --git a/hosts/fw.cloonar.com/modules/web/proxies.nix b/hosts/fw.cloonar.com/modules/web/proxies.nix new file mode 100644 index 0000000..ae3dd6c --- /dev/null +++ b/hosts/fw.cloonar.com/modules/web/proxies.nix @@ -0,0 +1,10 @@ +{ ... }: { + services.nginx.virtualHosts."git.cloonar.com" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + locations."/" = { + proxyPass = "https://git.cloonar.com/"; + }; + }; +} diff --git a/hosts/fw.cloonar.com/modules/web/secrets.yaml b/hosts/fw.cloonar.com/modules/web/secrets.yaml new file mode 100644 index 0000000..348386c --- /dev/null +++ b/hosts/fw.cloonar.com/modules/web/secrets.yaml @@ -0,0 +1,32 @@ +borg-passphrase: ENC[AES256_GCM,data:2WjoqMRmXvW9EGMmpMYhrC0Qt0Dk7QWlbEncZPdK2SxVljEoFibjVEr6jeYdAx6UkaXdjk9pD3PBbls2tWt0TiNQdh8=,iv:bHzASNjqqfPsQ/1w/oM7x0FubAzzRkn+iWrZlenU9rs=,tag:ektqi0rqEywg9YGybPQesw==,type:str] +borg-ssh-key: ENC[AES256_GCM,data:b/xZnUTfi85IG1s897CBF1HD7BTswQUatbotyZfLmbhxXxEyffUeaiGsT9Gh9yQqOKTstTihA48nVk/4ekAPD/ZGDQ189V1BwKkQ5chN9TSULofekfmemhUhVGjnx8OFl6hYYpTttQSTLHtczmfE2iX1JyrZy2Z+H+w6dbZjkYDayRUt/4+5wCtQJ1Nt7bjzwLWhjdVtwDeBLm/kCywVguZLCgyiuqmXMr1h9jpUS7URZegGz1lFs34Ismu1LtaRjFGRyd8aKaTU6PSxDbjE4dQ3Lh1Hm3nhtOrSkswBZLp8OTP6emrQ7c3oJp1zqO5zQHXxD2V5hkPw6ln0Ee1aQp1rvLD8shRXzRbHG+mySvjKLJvLypnNuYfQklqlnhbG+M1/NN13oVF13nHpKwP5q33sRr49mfHw8YHdRhHuhYHVrpy8ep0AmPXiDYCDM4cnlOMnzlH/toF0fq0YRny6QoqKNpaYhmA61MXRPTZCqoAcE1N+oo7HymjJetzL9b2FkPCoDOx989IJ8SUaBJpzR+agNsFi87htVllRp4ozms/m56dI0AdwqeAre00iMBzpVS0hXURE7fqvAnLHQD1goW9XB2mztqcJ09YafrOgTA3oyazWcAjxgV33GupxxIDmwRdLmavvr4qrHfddYctYLPI7VolqT9JmKN6iVG9vYsDutgoyRlhzbGASKPLgcYn9sGG+LBgTHfZyABnYOaUetVP72mhSN30ZZixcCskVlGg5C53wrW5o6mBv+PyG8PimxLmQylbvHUdGGVLQfMpJaaXgpUjBX1MWdQAVa+Nyjm7QwYdRKoCb3suQ6bOq5O9eotel3GPB8gpKzInhNA/0xiB4UyCGp1i21iRS9+Rc7yufo5s3t56k0643K2DhBUVgssiTsG15BbQdX4c1O28i9zwEZ+wVci1yvLX38M0a3tDDt9iW1BIOWehShS7dpyJR2/OgWLFagw9hYP5h24t5k6Gz2ODhPouaFccYDRUBR6UECxA+gDS+trN8iNSX1oWa0ys0XvgwWpJ2CrdSArNqe1BdhM47BQwudiA3RwaEN3wRh5PeykSk/3BUXK+ZdAr0BZ8ij2q4F8zQexLxnrV6xRqofNcVs62iJAjx6g86InSv0nNjLQ9U/fBTL66u1iRZFJhuxPjDNfLJZqT0TvRR7KBcNWTwTuMCGNp5s9TngMUF4uhHx8qGxtjfH58WjixOhC9lgUt7cYEFIeefcwIO9VVnKoiXK5sPIvIsjtLRzGvejYSd0ZwSF3Ly9FkWLkr+o5rs5bXtGMsSQ+BUFg5nM1BqrHIGv9M+F4kPxhnqm9/JXuMSQ+JUzix5N0vHuSTphCayDpMHJYRUEkDEmwPXMyB9zWVmvMb0ByUnfs/n/jmL4WRuggYqchIR3/xuco5HUqLbEKXiJ39wVgy+i3/biWOOEu5BmMx3qbgQ1+6nlxY+f1qpXZ8br0RlXLOQ6L/O9Qa9gKZaxLm/5GCiFZ+SeU/c5OgUndYqTk6FsbDlNurA69IqjwubG345lpdB9VPoGP7dLsx3VaGKW0bvr06oRaeasMx90SN5bGQJH+0iQFkGPhp0m2v31zpBk1IibXi5Qb1OWGXGYd+iNt1ZQF0HVuEqQEXI62x92QkaR7eHowR4tCRF1xH1ZrBkyjtdofUU2wPqsRrOWqGIZWUh/JpfXkSAZQo9yJKnHcp9d3BPEvWpLWS9g1Jfej5XG497aP6crWw5XawOyzi+PEgz2Y3Q0R/MM3S1W2R7Z+21nekbCfghpNylwIX4UYkeX8YorheiumkUfFXjktPSkFCTuUrYAA89WZjIIqd4/gt3tS7keCsjEiTkW2KdDPlzNItKnC8xWnpRc+Wh6ghA/nt3j4POb880j3scFoDjgOv5lNk2Q84S/IW+DQ3U8o4JrKiXsxchDvmgGbU4FbXZTGLXeM1CybmbZKogIHdwJkhC425oqA1PMiq5tDPLKpl2214JuaV4Xd8R0bwCSHYjQp9gqJT9j1Wg/3P0M3/VGZGoJEVriiBl6PBHP2CcvxK1NADDmMHgGQwwfROoSijAzzPKCy9sgzsquTkqzq8q4aChjGKShxs+52dpnmmuygSlxjyVQCEW9kLERf1Nm1arsLkHJ4ZsWgSrskGvjsPEvyEnpY33gGB7fpy90NW0GtELgGzEw/1nfLcFbRBJ7gH+4Dby2fBTxoV2ks9m0Fv6OWsfIe6H54zWLmqB1RkQaskb1wDKU3HATOmuYo/fByLIsMyR5l3P7LXWF5CJOprzp41rGts/ybJEG1EUtmVCs2epTwbeG/Waq1DB3TFa639ETjxOfGQ65PXp5aT1d5v+ko87LiR+0us6xwlfZ6NMRRZuPt4wycFgPUAAmpdmguwDKifHKA258g9kzotT25JeFFEMVhsMi1PoXEqA+sFomdsLt+Vtpr2aGMUWyHD/E2fgAtybLwxbjqDINi8vXWJxv/UZdH8wBOlWLtaeGg5/jRsMuL/hSSZ84Q2zfRVvV7/BZ7wnxfoXmAwRdTZijAvc9TxWszP6E5mAix7s/znU+1vnseJdxWa4Ff1wOGVL/Tem2K0J/mp75XuzSP7nCYDMgqhnvfzlD8vv6QpxtDUAbdTBDyPkQ4U9L6+y5ul5Aegpui+p0G9/0UHdBYhJiFd90omnhSmyHx2pvgUTfbL/Kv/pk7nwTv89a87NXNA9K6AATwx0kUPgIWs/5FGi8leCXGSsgBbJogL1htC72pKzVH6ckEzKeBzRADmwFLhnPIvp37ZkQPj0rrWRhkd5RqsFcN0166N+M4lPD0hzPd2+nEXDAOHoCK7U+BcRcJ3GUlyPU91dbWfo9otPd3naTvGVZuFDxOihLtBXaLTsxmS4STk6DVRjwNmX8YC9FwXkED19xEeH6KkaFs1nVXnmDqpvi2BcueT96t6TOeu5HcA9fAgFTpOKVT6cK2PcHTtJhjrPkfSYr0/ksJdV7r9N4JgAEfiASMMHS5uQWJlyJKWo92rJ2IvSCQx4lcK3gasgcTsVaYmuRORM+6263r4NKS8W8r55XvVyW/C7vvsVq6wF3xUkQadBkxIUQUVWxxCc1pWOlfWwMs0i+ZssoaWopbs7x45z86i+3HsHmfS6GuXUpQfgvXe9Bn7mOj7VQWaG9NIFUpIxisGfdY9L8+RXobo7etD3da7TNMs40BT+34tijcX53FzKwvG3ESNPB2hjOAITDta6LDOHhJrlVqn90p1DicThHOaT3fxt6ST287EhWqK9S1gpkLrp0gNSA9v+K9mBvWaWYNDXY7sGxOIMzCEIdFT18Pra92NhGTJtC0XizHDMUfGx5WAaard1Iy/PYXvavoAwp30qDCQGF+PgwSProa+JtQQPzoEgtSXNVhUWIzz10TACuo+vHt8sHvFG3VuU7jSOr9sqVrN36KMDUlwo0gavHKsjRxHf2OGh552q7AP+sM6Y5WhA4KhmQSUKCVxYVQ==,iv:U3+fjacm8+gZAjPQNz2mjFYTUbLyltTaPiSKb3lvCmk=,tag:ZR6zI1UijDayIvH3v35Hqg==,type:str] +zammad-key-base: ENC[AES256_GCM,data:HO9MuwcwjryuXr5No8sCPfso5bpLtQCoczrC/R214ecVIFwwH1uhMeNO8Tlh6EjRLPo7aVTSz87Vx5yaNVezvHCs55G6TT9mcNS/v/V7sbFz9dNIgbFblY3gFIAa4cViioYc71wdb7d4Tta7qhse5zQ41KhAqCWuGDgFErQA4Oc=,iv:b1wY8fW0psircSlNXwDjPzNWK8NyAMNqegitNcqV6U4=,tag:oQ7nyO9TKOOu6IF7ODzpPA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoUWdTYlRjWDJvemF5Q2sr + VCtrS2dTTGRwUlNIWHd0WkVCRkRMcGhuTzE0ClNic1FmQ05UNWQwbGc4TUFMNGlI + K0RhK2pqUGY3UElmK1pNUEkxV2xGUTQKLS0tIFRORE9JTDRZK0MwZUJoc2xlcHFH + bmp3ZW14TVdCMHhkSi84NE5neDdrY3cKYfgu7aqvG6wQmEFhmzieXFGoQpyffPXj + jiHrAPjBBFy21wdYf0nQXNMzekqOMJwOj0oNA2b5omprPxjB9uns4Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1gjm4c3swt8u88e36gf2qlg3syxfc0ly94u64c42f2tsf24npw4csa6e4fw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUjQxWnBMQXo3QmF1STUw + bHh1NDhvQXZIQ2RiOUx5OU5Wc3BVSEJDUEZVCmVzeFk5SWpMbVV4VUdsRmhiaWwz + bTJDY1pJRXJvNUdCSXJqQ3Byd3lWN2sKLS0tIHRKdXRNc1BYcURBRVNlenk1OEl3 + Q05BN0VnQ0haeHBobWhRV0EzL3dLSEkKWlALiX5mvG8y0WUc8yFWMbcpSRrSGoQx + SHaOlDCjYvViZ7GPRLqnSwDGZ1clC6JsTbwKXrMsWdZBKvSO/VIWQw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-08-16T11:12:23Z" + mac: ENC[AES256_GCM,data:nMLxD/WP3LxLTECQ/wQjiDW3F2Lx8yeMTkNIg97eipebVZwTLiVGg4t+sVzen+X3t4tPixO2a72mWMtIVQKs8d2MzkydLh+LjYItUBP+uw/rnCjB0zfxiPN883+FO6q4+BoT0JJc4LUHbgQQWEDnKaqld4/ICE1xJbPZVEJWo40=,iv:JenHaRqB8ZVDRV5rUOgMURflqQzfOrt9pHege2oiT7g=,tag:xv0p2oW1P0FPqcrRoQ/6tw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/hosts/fw.cloonar.com/modules/web/zammad.nix b/hosts/fw.cloonar.com/modules/web/zammad.nix new file mode 100644 index 0000000..b23b5d8 --- /dev/null +++ b/hosts/fw.cloonar.com/modules/web/zammad.nix @@ -0,0 +1,120 @@ +{ config, pkgs, ... }: + +{ + services.zammad = { + enable = true; + port = 3010; + secretKeyBaseFile = config.sops.secrets.zammad-key-base.path; + database = { + createLocally = true; + }; + }; + + services.nginx.enable = true; + services.nginx.virtualHosts."support.cloonar.com" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + + extraConfig = '' + # Virtual endpoint created by nginx to forward auth requests. + location /authelia { + internal; + set $upstream_authelia https://auth.cloonar.com/api/verify; + proxy_pass_request_body off; + proxy_pass $upstream_authelia; + proxy_set_header Content-Length ""; + + # Timeout if the real server is dead + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + + # [REQUIRED] Needed by Authelia to check authorizations of the resource. + # Provide either X-Original-URL and X-Forwarded-Proto or + # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both. + # Those headers will be used by Authelia to deduce the target url of the user. + # Basic Proxy Config + client_body_buffer_size 128k; + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 4 32k; + + # Advanced Proxy Config + send_timeout 5m; + proxy_read_timeout 240; + proxy_send_timeout 240; + proxy_connect_timeout 240; + } + ''; + + locations."/" = { + proxyPass = "http://127.0.0.1:3010"; + proxyWebsockets = true; + extraConfig = + "proxy_set_header X-Forwarded-Proto 'https';" + + "proxy_set_header X-Forwarded-Ssl on;" + + "proxy_connect_timeout 300;" + + "proxy_send_timeout 300;" + + "proxy_read_timeout 300;" + + "send_timeout 300;" + ; + }; + locations."/auth/sso" = { + proxyPass = "http://127.0.0.1:3010"; + proxyWebsockets = true; + + extraConfig = '' + # Basic Authelia Config + # Send a subsequent request to Authelia to verify if the user is authenticated + # and has the right permissions to access the resource. + auth_request /authelia; + # Set the `target_url` variable based on the request. It will be used to build the portal + # URL with the correct redirection parameter. + auth_request_set $target_url $scheme://$http_host$request_uri; + # Set the X-Forwarded-User and X-Forwarded-Groups with the headers + # returned by Authelia for the backends which can consume them. + # This is not safe, as the backend must make sure that they come from the + # proxy. In the future, it's gonna be safe to just use OAuth. + auth_request_set $user $upstream_http_remote_user; + auth_request_set $groups $upstream_http_remote_groups; + auth_request_set $name $upstream_http_remote_name; + auth_request_set $email $upstream_http_remote_email; + proxy_set_header Remote-User $user; + proxy_set_header Remote-Groups $groups; + proxy_set_header Remote-Name $name; + proxy_set_header Remote-Email $email; + # If Authelia returns 401, then nginx redirects the user to the login portal. + # If it returns 200, then the request pass through to the backend. + # For other type of errors, nginx will handle them as usual. + error_page 401 =302 https://auth.cloonar.com/?rd=$target_url; + ''; + }; + locations."/ws" = { + proxyPass = "http://127.0.0.1:6042"; + proxyWebsockets = true; + extraConfig = + "proxy_set_header X-Forwarded-Proto 'https';" + + "proxy_set_header X-Forwarded-Ssl on;" + + "proxy_read_timeout 86400;" + + "send_timeout 300;" + ; + }; + }; + + sops.secrets = { + zammad-key-base.owner = "zammad"; + }; + + services.postgresqlBackup.enable = true; + services.postgresqlBackup.databases = [ "zammad" ]; +} diff --git a/hosts/fw.cloonar.com/secrets.yaml b/hosts/fw.cloonar.com/secrets.yaml index 31174e2..d000e01 100644 --- a/hosts/fw.cloonar.com/secrets.yaml +++ b/hosts/fw.cloonar.com/secrets.yaml @@ -6,12 +6,14 @@ wg_cloonar_key: ENC[AES256_GCM,data:Dtp6I5J0jU5LLVwEFU4DFCpUngPRmFMebGXnk2oSwsKt wg_epicenter_works_key: ENC[AES256_GCM,data:LeLjfwfaz+loWyHYRgIMIPzHzlOnhl9tluKcQFgdes6r+deft1JfnUzDuF0=,iv:DKrc3I+U2hWDH8nnc8ZQeaVtA1eVXu7SXdTn1fxHoH4=,tag:V0PL0GrL2NEPVslAZa801A==,type:str] wg_epicenter_works_psk: ENC[AES256_GCM,data:Den3NDWdP013Or6/2Vll1igUahuRSNW4hu+nDa5vkr93bbveQTaWFT4TD4U=,iv:r3UsD3+3lUIP2X3Grti7wpXTQBXtu1/MdrycEmpZfsI=,tag:ghbAcxmjGVOe9jCZsmFzjA==,type:str] wg_ghetto_at_key: ENC[AES256_GCM,data:OIHmoy3SpIi9aefZnZ1PzpyHbEso18ceoTULf2eQkx1rJbaxC6PD1lma7eQ=,iv:u0eFjHHOBzPTmBvBEQsYY5flcBayiAQKd6e7RyiPwJI=,tag:731C9wvv8bA5fuuQq+weVQ==,type:str] +gitea-runner: ENC[AES256_GCM,data:IRx9QzbLJrkF/DYvpVf2012BiSBnHZJe10opkRO2kJuegdb0denW3mvmnU4isoj7jO/0QyN6HZHlHb5ihC7fFl4LavPDVjAAhZPynkpDw9IHFeqZDUSPzxQsq7FibKmfEpEmWEz+Npe8JI1kl694XYV/kqErKa3JrZS7Jm8zFcv7DSY/V5bdy4Is8ZSRtHiP/aVzFdsvjwtissCDnCl7zRZjXUcN0FssvPHBZHxLuc68EoagIw1aVSzkvSVBXer4rFdlefjskFelRnUr3pvm188=,iv:VnvPFDFGz/QyfQmZxQFB3J2ReqaHdRaypb2Vnq7Dthw=,tag:19rx0nlmXLj/6yPRAFGigA==,type:str] gitea-runner-token: ENC[AES256_GCM,data:Nd0vsnuJficsdZaqeBZXa9vD7PLMdDtV9sMX0TxUSEMNU7Reu3HLCWuvP0easPU=,iv:4mrfQc1tobg/QiExUuWST6iU9TdNwiS1BMmOnQqCFZU=,tag:85aRoD3IkRq3mcoPdLKaBQ==,type:str] drone: ENC[AES256_GCM,data:S8WTZqGHfcdpSojavZ87GdE5dagcTAdHBVQEbHHgnB4V7aczS6c5QdEJxK920Pjpf6o54OOQYniVsPiiXSxwjExDKPzhs/DG2hfigmf8RgfkP+3tF2W0KiPmV2jxog8w226ZKnI+hSBs8tuIfJBhrpY7Y/YNmTPfq+cnnLS8ibYqytcpzoogI9I8THzHCu3r+yejoGSyTMs9L4gPhOjz5aK4UV6V,iv:zqN/aSBI3xGGNDnpHPGyQnQP2YZOGUk6dAGtON/QlHU=,tag:o9YFDKAB5uR9lPmChyxB8g==,type:str] home-assistant-ldap: ENC[AES256_GCM,data:uZEPbSnkgQYSd8ev6FD8TRHWWr+vusadtMcvP7KKL2AZAV0h1hga5fODN6I5u0DNL9hq2pNM+FwU0E/svWLRww==,iv:IhmUgSu34NaAY+kUZehx40uymydUYYAyte1aGqQ33/8=,tag:BKFCJPr7Vz4EG78ry/ZD7g==,type:str] home-assistant-secrets.yaml: ENC[AES256_GCM,data:m7uOVo7hPk/RmqqRS6y7NKoMKsR9Bdi1ntatsZdDOAbJMjZmZL2FgPEHi/zF73zCfRfTOca3dwpulR3WXZ9Ic1sbUIggmusJMg4Gellw1CUhx7SbQN5nieAbPbB9GVxMuV4OakD1u7Swz8JggDT6IwojSnuD5omCRCyUH1wvKB+Re59q6EStderlm5MJNVFlVrbKVbLKLcw4yRgTh34BGnTTjcJmgSlQjO1ciu2B7YQmdl0Fw6d8AdbEzgB5TFG5ONc85UhJDE8Wlw==,iv:GCtpcVChN2UMWtfnWURozCfVj2YbRPqp/bH4Jjntybs=,tag:pcxP7gTBtXMNT5iyW5YXTw==,type:str] palworld: ENC[AES256_GCM,data:rdqChPt4gSJHS1D60+HJ+4m5mg35JbC+pOmevK21Y95QyAIeyBLVGhRYlOaUcqdZM2e4atyTTSf6z4nHsm539ddCbW7J2DCdF5PQkrAGDmmdTVq+jyJAT8gTrbXXCglT1wvFYY5dbf2NKA4ASJIA8bdVNuwRZU0CtFiishzLuc9m8ZcGCNwQ/+xkMZgkUAHYRlEJAZyMpXR6KkFftiR05JRAFczD4N7GXPPe+vyvgXg7QBGtf20Qd4SGBUw0zI/SNTRmifHUuc4Z6+Fe9JHgvTc3uFcTMVnty0fEuL+a29liaVdAFq8BnqJfc5CNV401ZSUeMbG41lCn1cegP/WChs9J6HXNrhWDgiXa6ln++NoKcfOHIfZVbYOCoOxFR6+YWeBU2+sHmdwI9j5XQf5Ly2hmg12j0Ds2Cn8k4PG5aQP+HT2bedqyxwSt6fi97A0Osnh4ig7+DzYAjSNLewbYLzVdK39VdvB9hqLto+yFS3gAaeYOHwPwtqa+COI85c55lHiyKHlSwPhBqYaaiDu00lQTUzq9R5vz6F/l+T3bUjuna5RryUu8yhnk5DyK834KycTOg4ETcZTqro6prfiEBxc+Utsc9JvEtZgwFv6fsVLOu7nHxuiYuvseZ4YA8LlYdwPJboMPO2XsuhwWtT1uz/rh2orH7/vsXvzA/kF8NFemWBEMVLYA8byC5ze8doiGDYp4T5AAf10nJB1ceQ==,iv:gs78fxhvo9KlTaR5nzs12/LdgPChSFPHD2k4VQp3ARo=,tag:lpWBOi9xh2cWkS+71KD/UQ==,type:str] ark: ENC[AES256_GCM,data:YYGyzoVIKI9Ac1zGOr0BEpd3fgBsvp1hSwAvfO07/EQdg8ufMWUkNvqNHDKN62ZK5A1NnY3JTA1p4gyZ4ryQeAOsbwqU1GSk2YKHFyPeEnpLz/Ml82KMsv7XPGXuKRXZ4v3UcLu0R8k1Q0gQsMWo4FjCs3FF5mVtJG/YWxxbCYHoBLJ/di5p0DgjuFgJBQknYBpuLzr+yIoeqEyN7XcGYAJO53trEJuOOxLILULifkqISHjZ66i5F1fHW0iUdRbmeWV4aOAeOrsQqXYv,iv:gJwV5ip84zHqpU0l0uESfWWOtcgihMvEEdLaeI+twcU=,tag:sy8udVQsKxV/jOqwhJmWAg==,type:str] +firefox-sync: ENC[AES256_GCM,data:uAJAdyKAuXRuqCFl8742vIejU5RnAPpUxUFCC0s0QeXZR5oH2YOrDh+3vKUmckW4V1cIhSHoe+4+I4HuU5E73DDrJThfIzBEw+spo4HXwZf5KBtu3ujgX6/fSTlPWV7pEsDDsZ0y6ziKPADBDym8yEk0bU9nRedvTBUhVryo3aolzF/c+gJvdeDvKUYa8+8=,iv:yuvE4KG7z7Rp9ZNlLiJ2rh0keed3DuvrELzsfJu4+bs=,tag:HFo1A53Eva31NJ8fRE7TlA==,type:str] sops: kms: [] gcp_kms: [] @@ -45,8 +47,8 @@ sops: ejhXSmVkVjlhRDF3d1JDQlBzd2N3WncK6taU4OsyYoZc5P/2fMrSidLo2tYcH6Yw tNJRIOqR2Iq1M4ey27jnTdw3NvYKyxjn60ZeW2xcn8CYrpf0X4gLQA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-04-30T23:51:24Z" - mac: ENC[AES256_GCM,data:joDgRM3f4Faimhx/kU3YZmcaouuWlkyr5AniEWGzAsWkipp5XjIJ10gQ7nnu7zhVfTnwJCNoamjdkoAMfeINY6LK/QCVXIxr4821nqlhLbQfKlZYlEei4ryy1sXmW/n2uhV5rHJqmSo/OKfqGmdRY6heCefseNXDETfxj86NN0s=,iv:rAIspyGn7IFzXUuZZEPEuBnwRMOwBWwycXPiMXtDEKY=,tag:RISzmjUiV+fR6PUcz9PVDw==,type:str] + lastmodified: "2024-08-02T22:57:14Z" + mac: ENC[AES256_GCM,data:U9/pKXdqXMvjQgyTIGz0JG+88aBXVgp29Fmm0OE66KMArkX8ungcEtdnGYKhD0gFJKLrKZZY5V8oyAXEq95D+Bh8ZnfmQibYw04cPldc6kTZstsrpbzrWVfn6sqG/ih12oXdsLws+H6IeN+O2qGZHDIVjvPufAdJ3A2X+Yakahg=,iv:mG+dGv3l/PNhggvlujLxDGU5z47qVA9sOTUbU2b2dPo=,tag:Rz2av33iwa9aYR7c0cviEg==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1 diff --git a/hosts/mail.cloonar.com/modules/dovecot.nix b/hosts/mail.cloonar.com/modules/dovecot.nix index c8e25ed..66bf5cc 100644 --- a/hosts/mail.cloonar.com/modules/dovecot.nix +++ b/hosts/mail.cloonar.com/modules/dovecot.nix @@ -55,6 +55,10 @@ let doveadm user *@szaku-consulting.at | while read user; do doveadm -v sync -u $user $SERVER done + + doveadm user *@korean-skin.care | while read user; do + doveadm -v sync -u $user $SERVER + done ''; quotaWarning = pkgs.writeShellScriptBin "quota-warning.sh" '' diff --git a/hosts/mail.cloonar.com/modules/openldap.nix b/hosts/mail.cloonar.com/modules/openldap.nix index 032507e..07029aa 100644 --- a/hosts/mail.cloonar.com/modules/openldap.nix +++ b/hosts/mail.cloonar.com/modules/openldap.nix @@ -255,6 +255,33 @@ in { # olcPPolicyHashCleartext = "TRUE"; # }; + "olcDatabase={8}mdb".attrs = { + objectClass = ["olcDatabaseConfig" "olcMdbConfig"]; + + olcDatabase = "{8}mdb"; + olcDbDirectory = "/var/lib/openldap/data"; + + olcSuffix = "dc=korean-skin,dc=care"; + + olcAccess = [ + '' + {0}to attrs=userPassword + by self write + by anonymous auth + by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write + by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * none + '' + '' + {1}to * + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + ]; + }; # "cn=module{0},cn=config" = { # attrs = { diff --git a/hosts/nb-new.cloonar.com/configuration.nix b/hosts/nb-new.cloonar.com/configuration.nix index ec70a01..a95f3d3 100644 --- a/hosts/nb-new.cloonar.com/configuration.nix +++ b/hosts/nb-new.cloonar.com/configuration.nix @@ -18,6 +18,7 @@ in { ./utils/modules/sops.nix ./utils/modules/nur.nix + ./modules/appimage.nix ./modules/sway/sway.nix ./modules/printer.nix ./modules/nvim/default.nix @@ -34,6 +35,7 @@ in { fonts.packages = with pkgs; [ open-sans + ]; # nixos cross building qemu @@ -108,17 +110,19 @@ in { environment.systemPackages = with pkgs; [ bento - vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. - wget + creality-print docker-compose drone-cli + git-filter-repo + nix-prefetch-git + openaudible + vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. + wget wireguard-tools wineWowPackages.stable wineWowPackages.fonts winetricks - git-filter-repo ykfde - nix-prefetch-git ]; environment.variables = { diff --git a/hosts/nb-new.cloonar.com/modules/appimage.nix b/hosts/nb-new.cloonar.com/modules/appimage.nix new file mode 100644 index 0000000..966dc81 --- /dev/null +++ b/hosts/nb-new.cloonar.com/modules/appimage.nix @@ -0,0 +1,11 @@ +{ lib, pkgs, ... }: +{ + boot.binfmt.registrations.appimage = { + wrapInterpreterInShell = false; + interpreter = "${pkgs.appimage-run}/bin/appimage-run"; + recognitionType = "magic"; + offset = 0; + mask = ''\xff\xff\xff\xff\x00\x00\x00\x00\xff\xff\xff''; + magicOrExtension = ''\x7fELF....AI\x02''; + }; +} diff --git a/hosts/nb-new.cloonar.com/modules/sway/sway.conf b/hosts/nb-new.cloonar.com/modules/sway/sway.conf index ea26c5b..e1d0b8e 100644 --- a/hosts/nb-new.cloonar.com/modules/sway/sway.conf +++ b/hosts/nb-new.cloonar.com/modules/sway/sway.conf @@ -5,7 +5,7 @@ # i3 config file (v4) # font for window titles and bar -font pango:Source Sans Pro 10 +font pango:Source Sans Pro 15 # use win key set $mod Mod4 @@ -211,7 +211,7 @@ bindsym $mod+Shift+c reload bindsym $mod+Shift+r restart # manage i3 session -bindsym $mod+Shift+e exec swaynag --background f1fa8c --border ffb86c --border-bottom-size 0 --button-background ffb86c --button-text 282a36 -t warning -f "pango:Hack 9" -m "Do you really want to exit?" -B "  Exit " "swaymsg exit" -B "  Lock " "pkill swaynag && swaylock -c 252525 -s center -i ~/.wallpaper.png" -B "  Reboot " "pkill swaynag && reboot" -B "  Shutdown " "pkill swaynag && shutdown -h now" -B " Suspend " "pkill swaynag && systemctl suspend" +bindsym $mod+Shift+e exec swaynag --background f1fa8c --border ffb86c --border-bottom-size 0 --button-background ffb86c --button-text 282a36 -t warning -f "pango:Hack 9" -m "Do you really want to exit?" -B "  Auto Suspend Off " "pkill swayidle" -B "  Exit " "swaymsg exit" -B "  Lock " "pkill swaynag && swaylock -c 252525 -s center -i ~/.wallpaper.png" -B "  Reboot " "pkill swaynag && reboot" -B "  Shutdown " "pkill swaynag && shutdown -h now" -B " Suspend " "pkill swaynag && systemctl suspend" # resize window bindsym $mod+r mode "  " @@ -288,6 +288,9 @@ gaps inner 12 gaps outer 0 # startup applications +exec_always { + gsettings set org.gnome.desktop.interface text-scaling-factor 1.5 +} exec /run/wrappers/bin/gnome-keyring-daemon --start --daemonize exec dbus-sway-environment exec configure-gtk @@ -311,7 +314,7 @@ exec 'sleep 2; swaymsg workspace $ws8; swaymsg layout tabbed' exec mako --default-timeout=5000 # wallpaper -output eDP-1 scale 1.5 +output eDP-1 scale 1 output eDP-1 bg #282a36 solid_color output eDP-1 bg ~/.wallpaper.png center output DP-4 bg #282a36 solid_color @@ -353,7 +356,7 @@ bindswitch --locked lid:off output $laptop_screen enable # Touchpad input type:touchpad { -tap enabled -natural_scroll enabled + tap enabled + natural_scroll enabled } diff --git a/hosts/nb-new.cloonar.com/modules/sway/sway.nix b/hosts/nb-new.cloonar.com/modules/sway/sway.nix index d275eae..fd7a8e5 100644 --- a/hosts/nb-new.cloonar.com/modules/sway/sway.nix +++ b/hosts/nb-new.cloonar.com/modules/sway/sway.nix @@ -21,6 +21,9 @@ let unstable = import (fetchTarball https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz) { config = { allowUnfree = true; }; }; + orca-slicer-pin = import (builtins.fetchTarball { + url = "https://github.com/NixOS/nixpkgs/archive/67b4bf1df4ae54d6866d78ccbd1ac7e8a8db8b73.tar.gz"; + }) {}; in { imports = [ ./social.nix @@ -45,25 +48,17 @@ in { theme = "where_is_my_sddm_theme_qt5"; }; - # services.xserver = { - # enable = true; - # excludePackages = [ pkgs.xterm ]; - # displayManager.gdm.enable = true; - # displayManager.gdm.wayland = true; - # # displayManager.sddm.enable = true; - # displayManager.sessionPackages = [ pkgs.sway ]; - # displayManager.defaultSession = "sway"; - # libinput.enable = true; - # }; - environment.systemPackages = with pkgs; [ alsaUtils + audacity apache-directory-studio bitwarden bitwarden-cli rofi-rbw-wayland cryptomator + quickemu + brave chromium firefox @@ -110,6 +105,7 @@ in { mqttui networkmanagerapplet nextcloud-client + nodejs_22 onlyoffice-bin pavucontrol pcmanfm diff --git a/hosts/nb-new.cloonar.com/modules/sway/waybar.css b/hosts/nb-new.cloonar.com/modules/sway/waybar.css index c927754..d937fd2 100644 --- a/hosts/nb-new.cloonar.com/modules/sway/waybar.css +++ b/hosts/nb-new.cloonar.com/modules/sway/waybar.css @@ -1,5 +1,5 @@ * { - font-size: 20px; + font-size: 30px; font-family: monospace; } @@ -33,7 +33,7 @@ window#waybar { } #workspaces button { - padding: 0 2px; + padding: 0 4px; color: #f8f8f2; } #workspaces button.focused { @@ -46,7 +46,7 @@ window#waybar { #workspaces button:hover { background: #252525; border: #252525; - padding: 0 3px; + padding: 0 6px; } #network { @@ -75,5 +75,5 @@ window#waybar { #cpu, #battery, #disk { - padding: 0 10px; + padding: 0 20px; } diff --git a/hosts/nb-new.cloonar.com/users/configs/project_history b/hosts/nb-new.cloonar.com/users/configs/project_history index fb5bf77..6ddd2ad 100644 --- a/hosts/nb-new.cloonar.com/users/configs/project_history +++ b/hosts/nb-new.cloonar.com/users/configs/project_history @@ -9,9 +9,11 @@ /home/dominik/projects/cloonar/paraclub/paraclub-module /home/dominik/projects/cloonar/amz/amz-api /home/dominik/projects/cloonar/amz/amz-frontend +/home/dominik/projects/cloonar/hilgenberg-website +/home/dominik/projects/cloonar/korean-skin.care /home/dominik/projects/myhidden.life/myhidden.life-web /home/dominik/projects/socialgrow.tech/sgt-api -/home/dominik/projects/epicenter.works/campaigntool +/home/dominik/projects/epicenter.works/ewcampaign /home/dominik/projects/epicenter.works/epicenter.works /home/dominik/projects/epicenter.works/epicenter-nixos /home/dominik/projects/epicenter.works/spenden.akvorrat.at diff --git a/hosts/nb-new.cloonar.com/users/dominik.nix b/hosts/nb-new.cloonar.com/users/dominik.nix index c16d6ce..f27bc24 100644 --- a/hosts/nb-new.cloonar.com/users/dominik.nix +++ b/hosts/nb-new.cloonar.com/users/dominik.nix @@ -15,6 +15,7 @@ let "calendar.ui.version" = 3; "calendar.timezone.local" = "Europe/Vienna"; "calendar.week.start" = 1; + "layout.css.devPixelsPerPx" = "1.5"; }; thunderbirdCalendarPersonal = { @@ -68,12 +69,20 @@ let "devtools.toolbox.host" = "right"; "browser.uiCustomization.state" = "{\"placements\":{\"widget-overflow-fixed-list\":[],\"unified-extensions-area\":[],\"nav-bar\":[\"back-button\",\"forward-button\",\"stop-reload-button\",\"urlbar-container\",\"downloads-button\",\"screenshot-button\",\"ublock0_raymondhill_net-browser-action\",\"jid1-mnnxcxisbpnsxq_jetpack-browser-action\",\"_d634138d-c276-4fc8-924b-40a0ea21d284_-browser-action\",\"_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action\",\"_testpilot-containers-browser-action\",\"unified-extensions-button\"],\"toolbar-menubar\":[\"menubar-items\"],\"TabsToolbar\":[\"firefox-view-button\",\"tabbrowser-tabs\",\"new-tab-button\",\"alltabs-button\"],\"PersonalToolbar\":[\"import-button\",\"personal-bookmarks\"]},\"seen\":[\"save-to-pocket-button\",\"_d634138d-c276-4fc8-924b-40a0ea21d284_-browser-action\",\"_testpilot-containers-browser-action\",\"_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action\",\"ublock0_raymondhill_net-browser-action\",\"jid1-mnnxcxisbpnsxq_jetpack-browser-action\",\"developer-button\"],\"dirtyAreaCache\":[\"unified-extensions-area\",\"nav-bar\",\"PersonalToolbar\"],\"currentVersion\":20,\"newElementCount\":3}"; "signon.rememberSignons" = false; + "identity.sync.tokenserver.uri" = "https://sync.cloonar.com:5000/token/1.0/sync/1.5"; + # "toolkit.legacyUserProfileCustomizations.stylesheets" = true; + "layout.css.devPixelsPerPx" = "1.5"; }; + firefoxUserChrome = '' + * { + font-size: 16pt !important + } + ''; + firefoxExtensions = with pkgs.nur.repos.rycee.firefox-addons; [ bitwarden multi-account-containers - onepassword-password-manager privacy-badger ublock-origin ]; @@ -91,9 +100,11 @@ in allowOther = true; directories = [ ".ApacheDirectoryStudio" + ".config/Creality" ".config/github-copilot" ".config/libreoffice" ".config/Nextcloud" + ".config/OrcaSlicer" ".config/rustdesk" ".config/Signal" ".config/sops" @@ -103,6 +114,7 @@ in ".thunderbird" "cloud.cloonar.com" "cloud.epicenter.works" + "OpenAudible" "projects" "go" ]; @@ -282,6 +294,7 @@ in id = 0; isDefault = true; settings = firefoxSettings; + userChrome = firefoxUserChrome; search.default = "DuckDuckGo"; search.privateDefault = "DuckDuckGo"; search.force = true; @@ -290,6 +303,7 @@ in social = { id = 1; settings = firefoxSettings; + userChrome = firefoxUserChrome; search.default = "DuckDuckGo"; search.privateDefault = "DuckDuckGo"; search.force = true; @@ -345,13 +359,15 @@ in git clone gitea@git.cloonar.com:Paraclub/module.git /nix/persist/user/dominik/projects/cloonar/paraclub/paraclub-module 2>/dev/null git clone gitea@git.cloonar.com:Cloonar/amz-api.git /nix/persist/user/dominik/projects/cloonar/amz/amz-api 2>/dev/null git clone gitea@git.cloonar.com:Cloonar/amz-frontend.git /nix/persist/user/dominik/projects/cloonar/amz/amz-frontend 2>/dev/null + git clone gitea@git.cloonar.com:hilgenberg/website.git /nix/persist/user/dominik/projects/cloonar/hilgenberg-website 2>/dev/null + git clone gitea@git.cloonar.com:Cloonar/korean-skin.care.git /nix/persist/user/dominik/projects/cloonar/korean-skin.care 2>/dev/null git clone gitea@git.cloonar.com:myhidden.life/web.git /nix/persist/user/dominik/projects/myhidden.life/myhidden.life-web 2>/dev/null git clone gitea@git.cloonar.com:socialgrow.tech/sgt-api.git /nix/persist/user/dominik/projects/socialgrow.tech/sgt-api 2>/dev/null ssh-keygen -R gitlab.epicenter.works ssh-keyscan gitlab.epicenter.works >> ~/.ssh/known_hosts - git clone git@gitlab.epicenter.works:epicenter.works/campaigntool.git /nix/persist/user/dominik/projects/epicenter.works/campaigntool 2>/dev/null + git clone git@github.com:AKVorrat/ewcampaign.git /nix/persist/user/dominik/projects/epicenter.works/ewcampaign 2>/dev/null git clone git@gitlab.epicenter.works:epicenter.works/website.git /nix/persist/user/dominik/projects/epicenter.works/epicenter.works 2>/dev/null git clone git@gitlab.epicenter.works:epicenter.works/nixos.git /nix/persist/user/dominik/projects/epicenter.works/epicenter-nixos 2>/dev/null git clone git@github.com:AKVorrat/spenden.akvorrat.at.git /nix/persist/user/dominik/projects/epicenter.works/spenden.akvorrat.at 2>/dev/null @@ -413,6 +429,12 @@ in TERM = "xterm-256color"; }; }; + "*.hilgenberg-gmbh.de" = { + user = "root"; + setEnv = { + TERM = "xterm-256color"; + }; + }; "amz-websrv-01.amz.at" = { user = "ebs"; }; diff --git a/hosts/web-01.cloonar.com/configuration.nix b/hosts/web-01.cloonar.com/configuration.nix index 63b7c90..d799512 100644 --- a/hosts/web-01.cloonar.com/configuration.nix +++ b/hosts/web-01.cloonar.com/configuration.nix @@ -47,6 +47,7 @@ ./sites/module.paraclub.cloonar.dev.nix ./sites/gbv-aktuell.cloonar.dev.nix ./sites/stage.myhidden.life.nix + ./sites/stage.korean-skin.care.nix ]; nixpkgs.config.permittedInsecurePackages = [ diff --git a/hosts/web-01.cloonar.com/modules/authelia/default.nix b/hosts/web-01.cloonar.com/modules/authelia/default.nix index 2f8bdc7..70ff56a 100644 --- a/hosts/web-01.cloonar.com/modules/authelia/default.nix +++ b/hosts/web-01.cloonar.com/modules/authelia/default.nix @@ -232,6 +232,7 @@ extraConfig = '' allow 127.0.0.1; allow 49.12.244.139; + allow 77.119.230.30; deny all; ''; }; @@ -254,6 +255,7 @@ # Basic Proxy Config proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; diff --git a/hosts/web-01.cloonar.com/sites/autoconfig.cloonar.com.nix b/hosts/web-01.cloonar.com/sites/autoconfig.cloonar.com.nix index fc74e8a..8b40ad0 100644 --- a/hosts/web-01.cloonar.com/sites/autoconfig.cloonar.com.nix +++ b/hosts/web-01.cloonar.com/sites/autoconfig.cloonar.com.nix @@ -30,10 +30,7 @@ in services.nginx.virtualHosts."autoconfig.superbros.tv".extraConfig = '' return 301 https://autoconfig.cloonar.com$request_uri; ''; - services.nginx.virtualHosts."autoconfig.ghetto.at".extraConfig = '' - return 301 https://autoconfig.cloonar.com$request_uri; - ''; - services.nginx.virtualHosts."autoconfig.optiprot.eu".extraConfig = '' + services.nginx.virtualHosts."autoconfig.korean-skin.care".extraConfig = '' return 301 https://autoconfig.cloonar.com$request_uri; ''; } diff --git a/hosts/web-01.cloonar.com/sites/autoconfig.nix b/hosts/web-01.cloonar.com/sites/autoconfig.nix index 984990e..963d2b8 100644 --- a/hosts/web-01.cloonar.com/sites/autoconfig.nix +++ b/hosts/web-01.cloonar.com/sites/autoconfig.nix @@ -51,6 +51,7 @@ in services.nginx.virtualHosts."autoconfig.ghetto.at" = vhostConfig; services.nginx.virtualHosts."autoconfig.optiprot.eu" = vhostConfig; services.nginx.virtualHosts."autoconfig.superbros.tv" = vhostConfig; + services.nginx.virtualHosts."autoconfig.korean-skin.care" = vhostConfig; systemd.services."phpfpm-autoconfig".serviceConfig.ProtectHome = lib.mkForce false; diff --git a/hosts/web-01.cloonar.com/sites/stage.korean-skin.care.nix b/hosts/web-01.cloonar.com/sites/stage.korean-skin.care.nix new file mode 100644 index 0000000..03b73ef --- /dev/null +++ b/hosts/web-01.cloonar.com/sites/stage.korean-skin.care.nix @@ -0,0 +1,61 @@ +{ pkgs, lib, config, ... }: +let + user = "stage_korean_skin_care"; + domain = "stage.korean-skin.care"; + dataDir = "/var/www/${domain}"; +in { + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."/".extraConfig = '' + index index.html; + ''; + + locations."~* \.(jpe?g|png)$".extraConfig = '' + set $red Z; + + if ($http_accept ~* "webp") { + set $red A; + } + + if (-f $document_root/webp/$request_uri.webp) { + set $red "''${red}B"; + } + + if ($red = "AB") { + add_header Vary Accept; + rewrite ^ /webp/$request_uri.webp; + } + ''; + + locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' + expires 365d; + add_header Pragma "public"; + add_header Cache-Control "public"; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + deny all; + ''; + }; + users.users."${user}" = { + isNormalUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLGkR8JVFtyFnsXTooT/krORpPDdnFk612GW1agaOeG" + ]; + }; + users.groups.${user} = {}; +} diff --git a/hosts/web-arm/channel b/hosts/web-arm/channel new file mode 100644 index 0000000..425c774 --- /dev/null +++ b/hosts/web-arm/channel @@ -0,0 +1 @@ +https://channels.nixos.org/nixos-24.05 diff --git a/hosts/web-arm/configuration.nix b/hosts/web-arm/configuration.nix new file mode 100644 index 0000000..52afb76 --- /dev/null +++ b/hosts/web-arm/configuration.nix @@ -0,0 +1,83 @@ +{ ... }: { + imports = [ + ./utils/bento.nix + ./utils/modules/sops.nix + ./utils/modules/lego/lego.nix + + + ./modules/mysql.nix + ./utils/modules/nginx.nix + ./modules/bitwarden + ./modules/authelia + ./modules/collabora.nix + # ./modules/nextcloud + ./modules/rustdesk.nix + ./modules/postgresql.nix + ./modules/grafana.nix + ./modules/loki.nix + ./modules/victoriametrics.nix + + ./utils/modules/autoupgrade.nix + ./utils/modules/promtail + ./utils/modules/borgbackup.nix + ./utils/modules/netdata.nix + + ./hardware-configuration.nix + + ./modules/web/typo3.nix + ./modules/web/stack.nix + + ./sites/autoconfig.cloonar.com.nix + + ./sites/cloonar.com.nix + ./sites/gbv-aktuell.at.nix + ./sites/matomo.cloonar.com.nix + + ./sites/cloonar.dev.nix + ./sites/paraclub.cloonar.dev.nix + ./sites/api.paraclub.cloonar.dev.nix + ./sites/tandem.paraclub.cloonar.dev.nix + ./sites/module.paraclub.cloonar.dev.nix + ./sites/gbv-aktuell.cloonar.dev.nix + ./sites/stage.myhidden.life.nix + ./sites/stage.korean-skin.care.nix + ]; + + nixpkgs.config.permittedInsecurePackages = [ + "openssl-1.1.1v" + "openssl-1.1.1w" + ]; + + time.timeZone = "Europe/Vienna"; + + services.logind.extraConfig = "RuntimeDirectorySize=2G"; + + sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ]; + sops.defaultSopsFile = ./secrets.yaml; + + nix.gc = { + automatic = true; + options = "--delete-older-than 60d"; + }; + + boot.tmp.cleanOnBoot = true; + zramSwap.enable = true; + networking.hostName = "web-arm"; + services.openssh.enable = true; + users.users.root.openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius" + ]; + + # backups + borgbackup.repo = "u149513-sub5@u149513-sub5.your-backup.de:borg"; + services.borgbackup.jobs.default.startAt = "Fri 2012-11-23 11:12:13" + + + networking.firewall = { + enable = true; + allowedTCPPorts = [ 22 80 443 ]; + }; + + system.stateVersion = "22.05"; +} diff --git a/hosts/web-arm/fleet.nix b/hosts/web-arm/fleet.nix new file mode 120000 index 0000000..5b16de1 --- /dev/null +++ b/hosts/web-arm/fleet.nix @@ -0,0 +1 @@ +../../fleet.nix \ No newline at end of file diff --git a/hosts/web-arm/hardware-configuration.nix b/hosts/web-arm/hardware-configuration.nix new file mode 100644 index 0000000..f67b9f4 --- /dev/null +++ b/hosts/web-arm/hardware-configuration.nix @@ -0,0 +1,9 @@ +{ modulesPath, ... }: +{ + imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; + boot.loader.grub.device = "/dev/sda"; + boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "vmw_pvscsi" "xen_blkfront" ]; + boot.initrd.kernelModules = [ "nvme" ]; + fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; }; + +} diff --git a/hosts/web-arm/modules/authelia/default.nix b/hosts/web-arm/modules/authelia/default.nix new file mode 100644 index 0000000..70ff56a --- /dev/null +++ b/hosts/web-arm/modules/authelia/default.nix @@ -0,0 +1,281 @@ +{ config, ... }: + +{ + sops.secrets.authelia-jwt-secret = { + owner = "authelia-main"; + sopsFile = ./secrets.yaml; + }; + sops.secrets.authelia-backend-ldap-password = { + owner = "authelia-main"; + sopsFile = ./secrets.yaml; + }; + sops.secrets.authelia-storage-encryption-key = { + owner = "authelia-main"; + sopsFile = ./secrets.yaml; + }; + sops.secrets.authelia-session-secret = { + owner = "authelia-main"; + sopsFile = ./secrets.yaml; + }; + sops.secrets.authelia-identity-providers-oidc-hmac-secret = { + owner = "authelia-main"; + sopsFile = ./secrets.yaml; + }; + sops.secrets.authelia-identity-providers-oidc-issuer-certificate-chain = { + owner = "authelia-main"; + sopsFile = ./secrets.yaml; + }; + sops.secrets.authelia-identity-providers-oidc-issuer-private-key = { + owner = "authelia-main"; + sopsFile = ./secrets.yaml; + }; + + services.authelia.instances.main = { + enable = true; + secrets = { + jwtSecretFile = config.sops.secrets.authelia-jwt-secret.path; + storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption-key.path; + sessionSecretFile = config.sops.secrets.authelia-session-secret.path; + oidcHmacSecretFile = config.sops.secrets.authelia-identity-providers-oidc-hmac-secret.path; + oidcIssuerPrivateKeyFile = config.sops.secrets.authelia-identity-providers-oidc-issuer-private-key.path; + }; + environmentVariables = { + "AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE" = config.sops.secrets.authelia-backend-ldap-password.path; + "AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE" = config.sops.secrets.authelia-backend-ldap-password.path; + }; + settings = { + theme = "dark"; + default_redirection_url = "https://cloonar.com"; + + server = { + host = "127.0.0.1"; + port = 9091; + }; + + # log = { + # level = "debug"; + # format = "text"; + # }; + + authentication_backend = { + ldap = { + url = "ldaps://ldap.cloonar.com"; + base_dn = "DC=cloonar,DC=com"; + additional_users_dn = "OU=users"; + users_filter = "(&({username_attribute}={input})(objectClass=person))"; + username_attribute = "mail"; + mail_attribute = "mail"; + display_name_attribute = "cn"; + additional_groups_dn = "OU=groups"; + groups_filter = "(&(member={dn})(objectClass=groupOfNames))"; + group_name_attribute = "cn"; + permit_referrals = false; + permit_unauthenticated_bind = false; + user = "cn=authelia,ou=system,ou=users,dc=cloonar,dc=com"; + }; + }; + + webauthn = { + disable = false; + display_name = "Authelia"; + attestation_conveyance_preference = "indirect"; + user_verification = "preferred"; + timeout = "60s"; + }; + + totp = { + disable = false; + issuer = "auth.cloonar.com"; + algorithm = "sha1"; + digits = 6; + period = 30; + skew = 1; + secret_size = 32; + }; + + access_control = { + default_policy = "deny"; + rules = [ + { + domain = ["auth.cloonar.com"]; + policy = "bypass"; + } + { + domain = ["*.cloonar.com"]; + policy = "two_factor"; + } + ]; + }; + + session = { + name = "authelia_session"; + expiration = "12h"; + inactivity = "45m"; + remember_me_duration = "1M"; + domain = "cloonar.com"; + # todo: enable with 4.38 + # cookies = [ + # { + # domain = "cloonar.com"; + # } + # { + # domain = "cloonar.dev"; + # } + # { + # domain = "gbv-aktuell.at"; + # same_site = "strict"; + # } + # ]; + }; + + regulation = { + max_retries = 3; + find_time = "5m"; + ban_time = "15m"; + }; + + storage = { + # mysql = { + # host = "/run/mysqld/mysqld.sock'"; + # port = 3306; + # database = "authelia_main"; + # username = "authelia_main"; + # password = "socket_auth"; + # timeout = "5s"; + # }; + local = { + path = "/var/lib/authelia-main/db.sqlite3"; + }; + }; + + notifier = { + disable_startup_check = false; + # filesystem = { + # filename = "/var/lib/authelia-main/notification.txt"; + # }; + smtp = { + host = "mail.cloonar.com"; + port = 25; + username = "authelia@cloonar.com"; + sender = "Authelia "; + }; + }; + identity_providers = { + oidc = { + ## The other portions of the mandatory OpenID Connect 1.0 configuration go here. + ## See: https://www.authelia.com/c/oidc + clients = [ + { + id = "gitea"; + description = "Gitea"; + secret = "$pbkdf2-sha512$310000$ngFGgCoDClB0xPLxxMJ.Qw$hFuXXizjiC73gZtwi2bPBHzpX8/1GmR8ux1aAz9esVhPEgB58d/vB2jLFKyc13mFJx7qc0ErIdla4/K0CsvM.A"; + public = false; + authorization_policy = "one_factor"; + redirect_uris = [ "https://git.cloonar.com/user/oauth2/authelia/callback" ]; + pre_configured_consent_duration = "1y"; + scopes = [ + "openid" + "profile" + "email" + ]; + userinfo_signing_algorithm = "none"; + } + { + id = "nextcloud"; + description = "Nextcloud"; + secret = "$pbkdf2-sha512$310000$UqX35Fh.7uTZLQqD.mk5wg$e139D4g9SGUFc.ZdKt3RAZljC8A7C9nixUQd7rQoHFMKop643SuwfazjNn0ehdyAjydM2zV.KzKnMLgSajo.xw"; + public = false; + authorization_policy = "one_factor"; + redirect_uris = [ + "https://nextcloud.cloonar.com/apps/oidc_login/oidc" + "https://cloud.cloonar.com/apps/user_oidc/code" + ]; + pre_configured_consent_duration = "1y"; + scopes = [ + "openid" + "profile" + "email" + "groups" + ]; + userinfo_signing_algorithm = "none"; + } + { + id = "grafana"; + description = "Grafana"; + secret = "$pbkdf2-sha512$310000$TP7.qfcevrHJFGcIMdZgGw$mLQ.AC5M28ETouxyiCeRkenQuKPvH0.oF1exp6LXBpleV56PI6sWrwmBgD7sMsHrMbkvCX4lNPx0vMf0urVpYA"; + public = false; + authorization_policy = "one_factor"; + redirect_uris = [ "https://grafana.cloonar.com/login/generic_oauth" ]; + pre_configured_consent_duration = "1y"; + scopes = [ + "openid" + "profile" + "email" + "groups" + ]; + userinfo_signing_algorithm = "none"; + } + ]; + }; + }; + }; + }; + services.nginx.virtualHosts."auth.cloonar.com" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + + locations."/api/verify" = { + proxyPass = "http://127.0.0.1:9091"; + proxyWebsockets = true; + + extraConfig = '' + allow 127.0.0.1; + allow 49.12.244.139; + allow 77.119.230.30; + deny all; + ''; + }; + + locations."/" = { + proxyPass = "http://127.0.0.1:9091"; + proxyWebsockets = true; + + extraConfig = '' + client_body_buffer_size 128k; + + #Timeout if the real server is dead + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + + # Advanced Proxy Config + send_timeout 5m; + proxy_read_timeout 360; + proxy_send_timeout 360; + proxy_connect_timeout 360; + + # Basic Proxy Config + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_redirect http:// $scheme://; + proxy_set_header Connection ""; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 64 256k; + + # If behind reverse proxy, forwards the correct IP + set_real_ip_from 10.0.0.0/8; + set_real_ip_from 172.0.0.0/8; + set_real_ip_from 192.168.0.0/16; + set_real_ip_from fc00::/7; + real_ip_header X-Forwarded-For; + real_ip_recursive on; + ''; + }; + }; +} diff --git a/hosts/web-arm/modules/authelia/secrets.yaml b/hosts/web-arm/modules/authelia/secrets.yaml new file mode 100644 index 0000000..8b3893b --- /dev/null +++ b/hosts/web-arm/modules/authelia/secrets.yaml @@ -0,0 +1,45 @@ +authelia-jwt-secret: ENC[AES256_GCM,data:+4mCRAbPYeuxZwPxIWdzym9M0soVRJGZOHpBLFp1dsienOes6PcF6DhkzLwx1g/2KYQBrWq5QtNyysLkl32mNg==,iv:3354Ww7D1fQAVZh8xlJo3W9VaLTC6sUxXpNzwFYGZPg=,tag:NjPuHi4R+I3CJ09ZbV1Cbw==,type:str] +authelia-backend-ldap-password: ENC[AES256_GCM,data:AJ5/lQxxQ0PjPpja4Lm7Qbn4rrZ/fapFeTO9nXsXpYC7cSgPDmGL4LG6QTFrgHpJU4FGEyFhWUYf/BZvHFLA2A==,iv:/w3SlYC74vSV/hkOdp2wb50beSTaokQC9C1ogs82nxo=,tag:b5M78WOUgHcydoJTKiAAOQ==,type:str] +authelia-storage-encryption-key: ENC[AES256_GCM,data:I3ek+p0faJUUjS3ULeeLzsrsl03MKlHwrC+R3IqrJ2P9AbJmMBvvXnqLx2H2THkjGiqN3kLgrhnmInn+BnCgYg==,iv:EiZpXbkyC3tbdzcp20hV6ctAJdB9tlgxT3gI7wiqSZc=,tag:qqG02RJAizr2jlGV0JnStA==,type:str] +authelia-session-secret: ENC[AES256_GCM,data:+hljRSv4nABWg+vEOhYM27h9Gu1FCqcWWa51VqlN1r8AE79S78Uq2txWL7bZKql/fxmaguTLwk18xkHIAvIEsA==,iv:RoytV5jWIUDq6olp8rWAc0NRC4f1FLL43EpTzcXZ3eg=,tag:vIvDVRSqlVt/W/52vuDDZA==,type:str] +authelia-identity-providers-oidc-hmac-secret: ENC[AES256_GCM,data:yyqauvp+/8ufhCaZ1o0DWn4Nx1rdTW8C1HRVAtyCRuBaQA/yFVmZkwFVbnIDC3TrmuEMc2MXzVCREbdDsEqkGm6LJAB4Eq31NyhhbAtKufeqKHhMgEF4d41K71V//FJn2/ZBY6CaR1Ke0rX3p/Rpwk0rwddikkUmdJ7i7w9ayP8=,iv:ONBU0uWEUeQxQCGmHtGOySuLmTnJlAx//lQcK32i1Gs=,tag:Tk2BbYZSqbJRc/2cj8yxHQ==,type:str] +authelia-identity-providers-oidc-issuer-certificate-chain: ENC[AES256_GCM,data:oQwBKE0VjTIKYWOGKFtLwkOkjTh16gf5lJvMEEVs3Sy/+gmyGGmnDHm+xv9aT7Mmq9wSM7SVBe39yT5K9bUd0vGXO2Ze5V55B+B+9bAPKUL4rPNQAeSy3QCJPh6EoG3urDD/HUklV8QCprgTlokdgVgY3fv3be2Y1oOdiZDvbacol6OlcRXSi8ZqMro+f15e44j8NGhzsSahhzOLtmiRGLr5zWnzk8b221HZWtjSdG4rLrtcCZ1UjvvUX5pf8J5PI/9X4S6J7pglG+IlI0WGSHvQ9BXGQqWgmWky/3+hnC/B3ZPm3bz5CqMHzsdx/QmiCtQQf08GOoan/3rgp3pAu5J5TPDldnzEQkWPjciOMp4ewlu4nC1AViat7DH8wFtV9IpixEZm3fMidpPBpkTTRZMCy6AstNlPMvvvRDN/6nJypN++gvkBw3OJac2xBdtbdF5uC9nIrZqWENLnOn4623/C8yJJ8a2l1W1FF95hHiZDQKua+kB4CfFJSFxhtcWj3vcCzv7QIGHZPTIVn+aCozb4CdOegLswCuY9g5ncHfOnqIhSCY3Bc2xbd5GO7kVRvqT79abwHsAdArdDJAE4Fq3mNJG9/fy0N31GW4qKMTb3W5EgEt/2OtfsUn8MwHJV9BGPMeZhpn9hdzkXo9vmakVMKNoK4SEgZmFiKCj/uwhwdvJfYMRvl/n1DSpy8mxzKWt1IO9FD5HRUhkKeas6spOSyzbi4FTJJmJb9NQ5gzAcfTXs8C49S/DSocRwUHvQMvRIRZzBejxFKdnwGxwIJiVDY/04FWAjMR4HgxkCBvo9x+CxajnCw/S9g02uY85vxW1ZURi9wUK9Q9nbEyMu1IGWadhVO6fKvqWr9rVZ6tqqJ7FP81LKca80nkY+6Elec6l6u01Lzb4pLA6MFLyJbCE97+Vmoh056N73RNapWP6G3Txs2CvtzqWdup0J4xpwAxoEqVlnkBQ61abucZH9veMoq4gvxM90S+bBX7c6A+FYRha/PXovRL/SZWEfuKlVDeLQyb2IwQ==,iv:jhnNkcLXN3pHx6S8g78+R6X+ckhOF35QK615zcH2gqI=,tag:JSHDo9nbBbhpiQFSrLuDdg==,type:str] +authelia-identity-providers-oidc-issuer-private-key: ENC[AES256_GCM,data:Et0DaniERibvBeRBmJR5zsBXRpB4yAjQpLRlJc/8+sSZ1RymDelD689/7ETe1QwBZzOxJf35dMbjBmUjcpcxl7iLiujVtd4DR8hirAwYv1HTk4WLbrTOuVhX9O/yWcdfnrn4e4MlBme54HLkeKt5F9xQ+/XvRPkuY+E+zlVd9K2rgdKuPRB4GSkW8AH55P10ts4ICN7hayFLfKWRNjs2LR3JtE/cRppe6Gse61/CG7HWlAlcTYddpYUbIGIaB9yrW3QcV11sTuJ9KpuU/jE6i/0dOosYqPLVUfShMjjnnpnk1wYmaL7F5Ibljk9g1Fzqm1Vwl/S98PYYgt98zOAuMo9djogORpI7in5tV+JoT5V/Lk3Uq3MvkalpdHJShVHUuuJPMMaFjlONS0y2ZYTyWasrwGI9KUYoKtWq5oqrHJkjtWNSagJqRMPBNK/RRtiIxBWwsWMpIlUcks/rZF+CiHKnm/Zb6a+dNsdhqz3qVCI33ry5Wmy6YdTaDBPWv3iFXLz0skVMXCN5vV7PQ86c6yRbEo5HzGdJxxdIacTZ7JLzECPS2MuWGoTKH0VwQgx3qvuMyi0r7/1VwCBGjZkO6vxie5yYlMA1AveepE+8zxCSbLuUMzC5DDVYk98SH2qNL5BZXm2mkRXxBXkQ37SOtnONNqYwvRD9wNWpSBkIumgRG3k3NEcwPwLnrCgNAlev4sXG+DUDgHy4SZ518shGkafUNncst9odQaGvx5EeSD3ItjRptFuPSU554ZZy8bV3wau8enzRP2R47sSg7jW+y0NslCwdVam2SpiXrgqeghplQCNP8uS1Py3DFf8pDOIy/9gV3kjPEOs/RNbv/2bIS20lQbEoMOotk8BHeM5/QytrArnkDcfB4d7FPWRT/Sw2imLQ8A7Q7PidhwEuugfWI6HjSW2bsW+zSf/gdG30ragEgkW9WpTAD6rbLdLdYMYa233zs9b/K6qYAoqEVjJWc+OnCTZ6PTr76Gq/kaIrJ3UlWNJadgCSNMkVs7vNYnczwGQJiaqTnAaB2yuXkIAsC6QIf83G6Z9nw5kFoyWZR5Eytfl/uU9lxv4TrvLtfEqJrdaaYXdAfefpZKmFrQJMeyoJj3ven0j61qmIiBDbkoYkNaBWQJl/mOy+lJ8J2ZaQ62cqVQCFkpcrAWdaxEHCrTu1djfCOGVqQ5d5o1E/GQiAAVgRBQtgv94PCIeCurAUtoWumfBF1wi0h1HMdJd8yZ6MgGXpPoOIZcWc1SRGkNVuoiobdfXO4fyNcJAM+XnOfJ4xO17PhnwBbaM5ECX1TRKbEyc5V36QfD5Fo/VaVOFIDt0KfxIHUxydxa83RpEYV4s13C0I+/hoULtNIDl9KNxaaT4Klq/6HL2jIaCwlRNlb1mc1lhkgaJobXygi/8iW2yyPIoSZQJKsYZhlildGTBlxrlhSDZ+3Dy1RAIRO+cvSr5/eM44xgV8DUs+z9nb+j3Kefl7qn4QBNIEWZkTcLokw/qp58O1EK/h4vays37A1628wfuCDOBSBOPZjtuX9jFg64tcZWZ6rwlVRd5RsMq9iW9MoGcfHvN6DAYTifEs7yiwZdng50OHu1k6/UJ1/LI1mVx7r+//S3rd88fQa76uosBuN5XqDrQiK+iPj3E8rThMJkeR7Hh0yUrkGBAJCs140yFTJeSt+vr6CsqSLy2RR7tb1C2wNm40F7N37Vi1rHm5jzSakm4TPd6aY3kqis6nXavnxUQHO3BKnx0ceQVoz8jqIiy1mjzVwafAn6s/ap6Fzv+sNc/zs++Mod59YnGyqKaeOkoAcmVuWgV7l4VHf1Q/K3o5ri14CHpSqkjBlL9zD3Lh1B0cQNCwHJeIKAgm+1rCpuzx45QeV/MAwWJ6/o8PjHVPm9dQG5nXEPFJA0X4lNKGkRb5wwMsXRf6RC41vvhvbD6pFZ5TCrMX/IW2ym0hOm9Trswm6SlnyLsPtAYB4SdVJxuwqy8gqPpogCm+vgsobIcs4cVAeK3ZW4ikWnSNowXJFeqjQY7ZuO42Anzddn+dodVw923KfVKJTBDK4lDQp5QrWjukbYFK33AIE2vaeJ3mqkJxzmJ027L4w0gQeaUuxh9sOKgxG7xCkzkG0HbIMuIA9E6yBCHNSwj0daB3SRrbxIEMF7F0DI3Lw0dlS4SxJ9ucJoySD1pBENuVm7bgWcY+pL5iJlkKAbVJOEk3cGJ+37XgXDkQHsNF/mxNaIxZ2losxv8GQEuldAxjCXM2hGgOF+64ccxSdH4T/OZtAmAprcB377/tJMuOXrsjMknT77FShgtRfyIzX0cJTPvuvhnswcFj9gr/1REkTkz5XL4fQx8ik4MEbEN3jiDdZEwSW5wjKuuHIZhDt+AnTqHIQZq2SdJ9g2P/36UMzWKfweRe8i7yJ/FRyqVDn63mimyxb12ZB1CkNuNe64yEVsRQvZZpYVLVhzcJrG+nNZXnCne2rFLxl3jRG2y2dgcvl1hmxYGSEFSh1scVt+d0gUmfi0u2MxX0swBpzTFlMwx2hz6pFvnl7jMCeZSitQVRw0VSaaqGeH6ZQIyEKkk8myovbV/PWn3gqcMs5L8Grm6myluBbxuaH/F7xMQadleGSft6iE0/EXoNfLWwQqNj20uuPVmF/UIehUYApHoGpYujFPFKGEdjjCGcdRYpGtlmGmaCPfc4oWJ4GjeLI6VePVhRhM+iyb+zPv8V4SltDfqih/Txs6kfsnOQ0KpjnMSobLX70xV1tm/sxAtqAzJ5I4QtX8EQaWR/rb5VIikAxuQ8yJCii/RFcSd0ss4+4vhGlOHAT1t7+lH0bnTaiUWfm169l+B01JJO8Cz3muJVC/f+PIJUNP5VHgNDUeMDB35USCxnU/0bLlxEuYHtTMLqSabU/bv6YchKZFjSlFHGFXdAEDgQ2HYi9FY1F657dvNqrGO2AwHVdeX8RSiorRlNyeb80NqyASsx6MSWPDWYtVjpD7zHXVlWDLcMVkGwvX4RtJZF8wlXR/iEur8iC+v8g2w7iG2hZD1TFmkJsn/ira4UYLzPxYNAzl4BH5sB5BUJ8GCZrHwV8dny/FTQAwtYNq7TwnAi+2dwhWF7DgX0T6fVD/utyLK19+Aash6h4TX8Y1U345l4r+ADfUfQ3d/B0m6wFEgSD60kOv6wnnYbJEbFAZ2BZEwhzeyEacQjxHceyQg256GiCvRDHX4jonyZm3Vu6kCUNWYaRCKQJY5OyL9zRF9pFsCqqkNEfvDqmjPUjXcO/xarkjjdQz4y4gsPqovhtVi0GuExxhfT1KcJk6uzS1NiX0yBi/s22cI4WLmO/QNHXeUoi0Lbw/XUwj6krNMYrvqofUOqM5tK7BpmplxzMFJeB+mhDXLfpyWAS7Yq1RfHLmnA0OBYu7MQ3UB/zZ7zGcpnAT42MlQ20M7bXCpEBaAaPzlXky9bogNEVkwoOMtVHYzQnucTAKRYzb1PnlA+GMBQpxL27IAn2EbwXNLRwSVh0lgRQFb/94J4TV09CeR5hkKMi5WaCFy50utlLL4gHDg11oNGbu0vseB1AmxzbRExW5qJ87a0A0/ECLOoo2vlgnMJECB6MYNe2na1aTOiOUpI8rArj2fUjVjAlNrUpFWIug2C+b2/I43K8Sg4Tc3ZHcrywHQ4xt2IQeeysUP8C9lHEQW2q4sF7iMujSD1Kzu8bYyCzW2AJuTJCj5psbwlag4ezwmgXpJGsC+yLrCuA/BHzrUDadoBuofNQq7tFKTGDWlN+IfkI0PY5sxMVSbm/5NSWBR060QLDq6XdKOYnzR4oI3mm1NXY4+OrVEJBXqD6zAa7ECLKo+sHBt9uL4CfEfLVNhAi2bmfauPzBZ3NiNeqoneoU16AjGNHiADLyrdRQHmWLzm1xnVmCjtpn3hPnF4AwPYKSf2ALkqHR0UpMWCzRztJGLuRG1EUpD39DgbJOQujyNLU/2g+YdZbixeD6oJ5j+l0gG7+CaumkHGsj2uhEpV1Hq8TKHV/O8I3LkF634Zu7NGaX5xP+8cOYfk3Kqm/V/u2AmMKOCU3AXHK43KhIZvEZYhTRfkICFCbdYE5co6zcvQ6Irn+wSlc5J0ozSrm0fQcFdQAMbf0odwe5VoMb66m6EngoL/VAYRJZtrmPBKUZLELRIcOXv/Nvz4oiEw+NV5u5MyKKJA2Tb6FxOPZdAf339oMCMmN/sUA9fBJ6dvzuDkVNCH5qZzlKWVq/DkZZr3TGA3cbU9FKLNKPrBpBaCdCtrjbaw2YB3HWAky/Qcmx97dRRZGcn7HvMtRnZfBbbFxYVGtgoGcaVZYyz/J4zuibpZcxdNLhu4jeJpMkX4,iv:PWdVLhu0BPx7sXMzow9wl+cqDXD2Y5J5lfVSX3tNCMg=,tag:P4vHogedMdAUeIh4XHlmdw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHWkRuWXdaQ1RUbkF1d2p0 + elZkbnFVSW9tVjdqSHFvbjFiL202cW1tWjJ3ClpDUEFIMDFteFA1QTdTVmtVWHI0 + OFRuU1Fockh4aTBwa3l3ZjdiMFFYSm8KLS0tIGdCZjZNVXNVZWV3ZlJzY3ZyZXhr + WFp1eVZna1VWUUZuTVY4Q2h2c0Y2ZDAKcglSV3UBoZ65+SsM+zRFJmjIH61jXbT0 + rpeJ8/0i4THmVpbZY+NOIh2zECmzBkAA06jv0jMoftL40h2wsdgncg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBna282T2hYcDl4UWFISDVL + eE42MjVxZndUVEU5bjJwUzdHU2xHNXVNRW13CmZwUmdCWDFNVmdDbktwOXBIbzNZ + eGgrZHQwMEdRSG11aWpoSllrcjBBY2cKLS0tIFBZRUdYVUhsbFZYV0w5T3RYc0Ez + RDJZcjA4VFNadEZCUmpOVWRBdGNKMzQKhhQCbeRxDvhFVsF3G+OoXo4i+koqqgrV + o/esYoxA1ZNsS9mhFbfMw1C2YO43iPtaWChAO5zUABDALD6dJ1Rf1A== + -----END AGE ENCRYPTED FILE----- + - recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZUJuMnNwTGpSdVA4UXV5 + bkdGTWJsRjliMGJWcXBKekc3WDZiN0FWV0MwCmZIVld4M0xaWWhmUDVqSGcwbGpz + S0kzQy9scDRObS82WkMzYUw2dVBaWXMKLS0tIGpkeFZqdXIrY0lFdUgwekNJeDN4 + eFhnWGdoTzdyZmtjZDJBc3FveTRaN0EKBj2hSr6qDxwW+k5hox47P5uyoHQAzCjH + +TplhMUd5p8/ud3U4lixLezGu1qftVSKtz/4SAXrSC5DYZJF1w7tDQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-08-17T01:43:14Z" + mac: ENC[AES256_GCM,data:zcCKk+VAddbb4vZltdC6hKPAnoo4rvcLcmIsKATQekbVo9OUk5Q5JnxglgAxXyj/YMZ7tIY/IXoWdSW4Kw673vthVnWpGLnuHtXJFGslkQ+GEkIt0z/oepr33gXErsEolZ3rIx02CVsIK5tb38ol0DhAe+6dUihsi23HruMJNog=,iv:2RVGRBTgqR9YLrRpoxuN72NOcXvRlZVTaPNiU7l75w0=,tag:lr4/sBBE9F27II289OWUNQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/hosts/web-arm/modules/bitwarden/default.nix b/hosts/web-arm/modules/bitwarden/default.nix new file mode 100644 index 0000000..f9ce977 --- /dev/null +++ b/hosts/web-arm/modules/bitwarden/default.nix @@ -0,0 +1,114 @@ +{ + pkgs, + config, + ... +}: let + ldapConfig = { + vaultwarden_url = "https://bitwarden.cloonar.com"; + vaultwarden_admin_token = "@ADMIN_TOKEN@"; + ldap_host = "ldap.cloonar.com"; + ldap_ssl = true; + ldap_bind_dn = "cn=bitwarden,ou=system,ou=users,dc=cloonar,dc=com"; + ldap_bind_password = "@LDAP_PASSWORD@"; + ldap_search_base_dn = "ou=users,dc=cloonar,dc=com"; + ldap_search_filter = "(&(objectClass=cloonarUser))"; + ldap_sync_interval_seconds = 3600; + }; + + ldapConfigFile = + pkgs.runCommand "config.toml" + { + buildInputs = [pkgs.remarshal]; + preferLocalBuild = true; + } '' + remarshal -if json -of toml \ + < ${pkgs.writeText "config.json" (builtins.toJSON ldapConfig)} \ + > $out + ''; +in { + imports = [ + ../../utils/modules/nur.nix + ]; + + environment.systemPackages = with pkgs; [ + nur.repos.mic92.vaultwarden_ldap + ]; + + services.vaultwarden = { + enable = true; + dbBackend = "mysql"; + config = { + domain = "https://bitwarden.cloonar.com"; + signupsAllowed = false; + rocketPort = 3011; + enableDbWal = "false"; + websocketEnabled = true; + smtpHost = "mail.cloonar.com"; + smtpFrom = "bitwarden@cloonar.com"; + smtpUsername = "bitwarden@cloonar.com"; + }; + }; + + systemd.services.vaultwarden.serviceConfig = { + EnvironmentFile = [config.sops.secrets.bitwarden-smtp-password.path]; + }; + + systemd.services.vaultwarden_ldap = { + wantedBy = ["multi-user.target"]; + + preStart = '' + sed \ + -e "s=@LDAP_PASSWORD@=$(<${config.sops.secrets.bitwarden-ldap-password.path})=" \ + -e "s=@ADMIN_TOKEN@=$(<${config.sops.secrets.bitwarden-admin-token.path})=" \ + ${ldapConfigFile} \ + > /run/vaultwarden_ldap/config.toml + ''; + + serviceConfig = { + Restart = "on-failure"; + RestartSec = "2s"; + ExecStart = "${pkgs.nur.repos.mic92.vaultwarden_ldap}/bin/vaultwarden_ldap"; + Environment = "CONFIG_PATH=/run/vaultwarden_ldap/config.toml"; + + RuntimeDirectory = ["vaultwarden_ldap"]; + User = "vaultwarden_ldap"; + }; + }; + + services.nginx.virtualHosts."bitwarden.cloonar.com" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + extraConfig = '' + client_max_body_size 128M; + ''; + locations."/" = { + proxyPass = "http://localhost:3011"; + proxyWebsockets = true; + }; + locations."/notifications/hub" = { + proxyPass = "http://localhost:3012"; + proxyWebsockets = true; + }; + locations."/notifications/hub/negotiate" = { + proxyPass = "http://localhost:3011"; + proxyWebsockets = true; + }; + }; + + sops.secrets = { + bitwarden-admin-token.owner = "vaultwarden_ldap"; + bitwarden-ldap-password.owner = "vaultwarden_ldap"; + bitwarden-db-password.owner = "vaultwarden"; + bitwarden-smtp-password.owner = "vaultwarden"; + }; + + users.users.vaultwarden_ldap = { + isSystemUser = true; + group = "vaultwarden_ldap"; + }; + + users.groups.vaultwarden_ldap = {}; + + services.mysqlBackup.databases = [ "bitwarden" ]; +} diff --git a/hosts/web-arm/modules/bitwarden/secrets.yaml b/hosts/web-arm/modules/bitwarden/secrets.yaml new file mode 100644 index 0000000..4b4c3ca --- /dev/null +++ b/hosts/web-arm/modules/bitwarden/secrets.yaml @@ -0,0 +1,42 @@ +bitwarden-admin-token: ENC[AES256_GCM,data:nCj7kwQHTwezG3hh5J+c2MmUXwlGpdNjeh4A4SK/wgdBroAAghMSTuT6B7sjPgX5PmyBpzspdI3XqVUoBHzL6g==,iv:11C/ScaTqI1VlBSd71TA2cZNAu/wSbOs6rnDTlKlPsI=,tag:8eD0VkJn/KZ49yMe4D/MrA==,type:str] +bitwarden-db-password: ENC[AES256_GCM,data:4l3ntOHX4pdiUzfSqOwzObgMRp9eS5fjze6rJu1h3kKr/g/lsESLWiIHUoguixaNmoPU2zy42jEDvhXII6R+1g==,iv:mEMGGGyWerJaAvo7ymNfkR1YgTG1ieB3n40BB6L+UM4=,tag:iRd88BjFMMht9Ku9K34SXQ==,type:str] +bitwarden-ldap-password: ENC[AES256_GCM,data:g6tp0NzXk3ZJTGKHSzFxVZs4DhauzPS6SGW99WFX/CO0Wprgp9lh/evI6T56g2YhIv/3jqNSmi+p1FwdOzValw==,iv:mHMlhJx2aKLLkrPy+Z+/6plS/uMiK+xhYk/PF5m7+wQ=,tag:BgRNstiVnN95/pSX0DYfSw==,type:str] +bitwarden-smtp-password: ENC[AES256_GCM,data:4ruP8yMeTG5A19Oyvv2MBTj2LwecwwYc8BBU1xDT2i757orCNrQHJd0VLtzynluS9ge4vAU7G8islKwR/IIDGsEq74//CxJIyXyH9XLBfc5Jb2Rs1uz/Nz2uCWOCqm1AZ2/8uxXOPPNVhKcs3wxOLbLnA3Yzh+VFKsKIO753FkKllpFbeZanhfD2/N4fAGU4C5F+0HcrLBLBGC3X/CfQyPUSio1uwWPxRJR94DlRdPq+ir4YXHW48Mw/33lJZ+HqApk1Nf+gmTff7XTib1d44ac4JR8m20D8qOQ2Y9vfqJOxD7/PdgeqRLXN3K1PaSDE7JkWoiE0dM3vJ0q+Pqf47tm/xT4qaJvqI0jLXMwqmUg=,iv:TiZrLMPx9UbUf/4zKmRWTERM8phtyTX7Q3dCFqn+Ew4=,tag:55tuxMBWu6WpT4BllKV+pA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTVzQvK0VkUzh2MDhzSm5Z + TWlYVHNQQk9sbTkxT2JtUVFTQ01xam1FSFJBCjh3QUN1VGhCakJlR3QrZCtkdWpk + RGtGbEM0c2xUTlJiWktrczA0eVlFMm8KLS0tIFNnM0JpcHNrdFBadkpLZTZaY3VQ + ckYzWldIN01TZ3dKYmhIU1ZqK3NGWE0KvVTpNRg7RN0jKBDEDf0U+52I17+A3Gkl + 1VGxCmO87cBPcxmfnxoAdpabqCV9l784YHkQsW3Z0gicr0392m78Rw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSdURKWGg1dFk2MEFzVS9q + NkNReXU3RkNHaUUvZ0RMTXNVbkI5bDBwbHdzCjY2Rm1PMitteVBZQW1xMGxYMlFH + djJLSGtFUElsaTBETk5EZzgzMGh2TmMKLS0tIENJUUlWTmhMT1dlVWRpdmYwQnFi + cW02R1F0M2djcExEeVRUalp4cnRzY28KoFN3BS4C/xqoHeD3Is0AfRJlWRJQ/i5z + rFV9USYsD23M+tdirbVgCfaSBl5RZXB4SpNFiG3QjhmQ04JuIxuHQg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0b1pReWNGenpEZ1RtVkZz + dGIrQ1NYdzdlNTNacXFkNkY4eUVSUzJ4NjNnCmYxdlFYRm9VYlRnRS9GU28xSita + cVNadTBBNmF0TjkwZnhPdHVvUWVhdXMKLS0tIGJ0MS9qOXJhVEtoSUd2TWtCUmFq + dGxUQ1RmVkhXZDVRMGx5dUFDZUlTMkEKHwwCPamlcJoiJGIOVtLdcftMm3D5DgN/ + yijIfsBySzUfU1dfFp6GMpazL+81L4+8AEp3ZW7z2BBwwE7tm1yVzg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-01-28T21:53:06Z" + mac: ENC[AES256_GCM,data:jZq4UzkxyX/UhrmeKO7sFQpTlMB13lyi5/duXA0s2XX3W0U9g+TSZm21WiRGPjKmteJg0w2OhFsNk/y0uvD/oPE1ttLz/YRgiinuCoyufoX51AgQqS0KFxNBkTaDzoaKk3z1j8nEhAY2U0YS4fpOCNAkMsKdVZeTVOitcp/UeIE=,iv:5EzYCqUZri1VmD9wqQGxpypZe4F2h8W3D8a7mYbBBrg=,tag:iEFJBFmRJVw4YP5/V+21dQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/hosts/web-arm/modules/collabora.nix b/hosts/web-arm/modules/collabora.nix new file mode 100644 index 0000000..da679af --- /dev/null +++ b/hosts/web-arm/modules/collabora.nix @@ -0,0 +1,66 @@ +{ config, ... }: +{ + #Collabora Containers + virtualisation.oci-containers.containers.collabora = { + image = "docker.io/collabora/code:latest"; + ports = [ "9980:9980/tcp" ]; + environment = { + server_name = "code.cloonar.com"; + aliasgroup1 = "https://cloud.cloonar.com:443"; + dictionaries = "en_US"; + extra_params = "--o:ssl.enable=false --o:ssl.termination=true"; + }; + extraOptions = [ + "--pull=newer" + ]; + }; + + services.nginx.virtualHosts.${config.virtualisation.oci-containers.containers.collabora.environment.server_name} = { + enableACME = true; + forceSSL = true; + + extraConfig = '' + # static files + location ^~ /browser { + proxy_pass http://127.0.0.1:9980; + proxy_set_header Host $host; + } + + # WOPI discovery URL + location ^~ /hosting/discovery { + proxy_pass http://127.0.0.1:9980; + proxy_set_header Host $host; + } + + # Capabilities + location ^~ /hosting/capabilities { + proxy_pass http://127.0.0.1:9980; + proxy_set_header Host $host; + } + + # main websocket + location ~ ^/cool/(.*)/ws$ { + proxy_pass http://127.0.0.1:9980; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_read_timeout 36000s; + } + + # download, presentation and image upload + location ~ ^/(c|l)ool { + proxy_pass http://127.0.0.1:9980; + proxy_set_header Host $host; + } + + # Admin Console websocket + location ^~ /cool/adminws { + proxy_pass http://127.0.0.1:9980; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "Upgrade"; + proxy_set_header Host $host; + proxy_read_timeout 36000s; + } + ''; + }; +} diff --git a/hosts/web-arm/modules/grafana.nix b/hosts/web-arm/modules/grafana.nix new file mode 100644 index 0000000..c8edf0a --- /dev/null +++ b/hosts/web-arm/modules/grafana.nix @@ -0,0 +1,107 @@ +{ lib, pkgs, config, ...}: +let + ldap = pkgs.writeTextFile { + name = "ldap.toml"; + text = '' + [[servers]] + host = "ldap.cloonar.com" + port = 636 + use_ssl = true + bind_dn = "cn=grafana,ou=system,ou=users,dc=cloonar,dc=com" + bind_password = "$__file{/run/secrets/grafana-ldap-password}" + search_filter = "(&(objectClass=cloonarUser)(mail=%s))" + search_base_dns = ["ou=users,dc=cloonar,dc=com"] + + [servers.attributes] + name = "givenName" + surname = "sn" + username = "uid" + email = "mail" + member_of = "memberOf" + + [[servers.group_mappings]] + group_dn = "cn=Administrators,ou=groups,dc=cloonar,dc=com" + org_role = "Admin" + grafana_admin = true # Available in Grafana v5.3 and above + ''; + }; +in +{ + systemd.services.grafana.script = lib.mkBefore "export GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$(cat /run/secrets/grafana-oauth-secret)"; + services.grafana = { + enable = true; + settings = { + analytics.reporting_enabled = false; + # "auth.ldap".enabled = true; + # "auth.ldap".config_file = toString ldap; + + "auth.generic_oauth" = { + enabled = true; + name = "Authelia"; + icon = "signin"; + client_id = "grafana"; + scopes = "openid profile email groups"; + empty_scopes = false; + auth_url = "https://auth.cloonar.com/api/oidc/authorization"; + token_url = "https://auth.cloonar.com/api/oidc/token"; + api_url = "https://auth.cloonar.com/api/oidc/userinfo"; + login_attribute_path = "preferred_username"; + groups_attribute_path = "groups"; + name_attribute_path = "name"; + use_pkce = true; + }; + + "auth.anonymous".enabled = true; + "auth.anonymous".org_name = "Cloonar e.U."; + "auth.anonymous".org_role = "Viewer"; + + server = { + root_url = "https://grafana.cloonar.com"; + domain = "grafana.cloonar.com"; + enforce_domain = true; + enable_gzip = true; + http_addr = "0.0.0.0"; + http_port = 3001; + }; + + smtp = { + enabled = true; + host = "mail.cloonar.com:587"; + user = "grafana@cloonar.com"; + password = "$__file{${config.sops.secrets.grafana-ldap-password.path}}"; + fromAddress = "grafana@cloonar.com"; + }; + + database = { + type = "postgres"; + name = "grafana"; + host = "/run/postgresql"; + user = "grafana"; + }; + + security.admin_password = "$__file{${config.sops.secrets.grafana-admin-password.path}}"; + }; + }; + + services.nginx.virtualHosts."grafana.cloonar.com" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + locations."/".extraConfig = "proxy_pass http://localhost:3001;"; + }; + + services.postgresql.ensureUsers = [ + { + name = "grafana"; + ensureDBOwnership = true; + } + ]; + services.postgresql.ensureDatabases = [ "grafana" ]; + services.postgresqlBackup.databases = [ "grafana" ]; + + sops.secrets = { + grafana-admin-password.owner = "grafana"; + grafana-ldap-password.owner = "grafana"; + grafana-oauth-secret.owner = "grafana"; + }; +} diff --git a/hosts/web-arm/modules/loki.nix b/hosts/web-arm/modules/loki.nix new file mode 100644 index 0000000..9652286 --- /dev/null +++ b/hosts/web-arm/modules/loki.nix @@ -0,0 +1,151 @@ +{ config, pkgs, ... }: +let + rulerConfig = { + groups = [ + { + name = "general"; + rules = [ + { + alert = "Coredumps"; + # filter out failed build gitlab CI runner, users or nix build sandboxes + expr = ''sum by (host) (count_over_time({unit=~"systemd-coredump.*"} !~ "(/runner/_work|/home|/build|/scratch)" |~ "core dumped"[10m])) > 0''; + for = "10s"; + annotations.description = ''{{ $labels.instance }} {{ $labels.coredump_unit }} core dumped in last 10min.''; + } + ]; + } + ]; + }; + + rulerDir = pkgs.writeTextDir "ruler/ruler.yml" (builtins.toJSON rulerConfig); +in +{ + systemd.tmpfiles.rules = [ + "d /var/lib/loki 0700 loki loki - -" + "d /var/lib/loki/ruler 0700 loki loki - -" + ]; + services.loki = { + enable = true; + configuration = { + # Basic stuff + auth_enabled = false; + server = { + http_listen_port = 3100; + log_level = "warn"; + }; + + # Distributor + distributor.ring.kvstore.store = "inmemory"; + + # Ingester + ingester = { + lifecycler.address = "0.0.0.0"; + lifecycler.ring = { + kvstore.store = "inmemory"; + replication_factor = 1; + }; + chunk_encoding = "snappy"; + # Disable block transfers on shutdown + }; + + # Storage + storage_config = { + boltdb.directory = "/var/lib/loki/boltdb"; + boltdb_shipper = { + active_index_directory = "/var/lib/loki/index"; + cache_location = "/var/lib/loki/boltdb-cache"; + }; + tsdb_shipper = { + active_index_directory = "/var/lib/loki/tsdb-index"; + cache_location = "/var/lib/loki/tsdb-cache"; + + }; + filesystem.directory = "/var/lib/loki/storage"; + + }; + + limits_config.retention_period = "48h"; + + # Table manager + table_manager = { + retention_deletes_enabled = true; + retention_period = "48h"; + }; + + compactor = { + retention_enabled = true; + compaction_interval = "10m"; + working_directory = "/var/lib/loki/compactor"; + retention_delete_delay = "2h"; + retention_delete_worker_count = 150; + delete_request_store = "filesystem"; + }; + + # Schema + schema_config.configs = [ + { + from = "2020-11-08"; + store = "boltdb-shipper"; + object_store = "filesystem"; + schema = "v13"; + index.prefix = "index_"; + index.period = "24h"; + } + { + from = "2024-04-01"; + store = "tsdb"; + object_store = "filesystem"; + schema = "v13"; + index.prefix = "index_"; + index.period = "24h"; + } + ]; + + limits_config.ingestion_burst_size_mb = 16; + + # ruler = { + # storage = { + # type = "local"; + # local.directory = rulerDir; + # }; + # rule_path = "/var/lib/loki/ruler"; + # alertmanager_url = "http://alertmanager.cloonar.com"; + # ring.kvstore.store = "inmemory"; + # }; + + query_range.cache_results = true; + query_range.parallelise_shardable_queries = false; + limits_config.split_queries_by_interval = "24h"; + }; + }; + + sops.secrets.promtail-nginx-password.owner = "nginx"; + + services.nginx.virtualHosts."loki.cloonar.com" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + locations."/" = { + proxyWebsockets = true; + extraConfig = '' + auth_basic "Loki password"; + auth_basic_user_file ${config.sops.secrets.promtail-nginx-password.path}; + + proxy_read_timeout 1800s; + proxy_redirect off; + proxy_connect_timeout 1600s; + + access_log off; + proxy_pass http://127.0.0.1:3100; + ''; + }; + locations."/ready" = { + proxyWebsockets = true; + extraConfig = '' + auth_basic off; + access_log off; + proxy_pass http://127.0.0.1:3100; + ''; + }; + }; +} diff --git a/hosts/web-arm/modules/mysql.nix b/hosts/web-arm/modules/mysql.nix new file mode 100644 index 0000000..84578ea --- /dev/null +++ b/hosts/web-arm/modules/mysql.nix @@ -0,0 +1,78 @@ +{ pkgs, ... }: + +let + mysqlCreateDatabase = pkgs.writeShellScriptBin "mysql-create-database" '' + #!/usr/bin/env bash + if [ $# -lt 2 ] + then + echo "Usage: $0 " + exit 1 + fi + + if ! [ $EUID -eq 0 ] + then + echo "Must be root!" >&2 + exit 1 + fi + + DB="$1" + HOST="$2" + PASSWORD="$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 64 | xargs)" + + cat <" + exit 1 + fi + + if ! [ $EUID -eq 0 ] + then + echo "Must be root!" >&2 + exit 1 + fi + + DB="$1" + PASSWORD="$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 64 | xargs)" + + cat <= node_filefd_maximum + FOR 20m + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}} is running out of available file descriptors in 3 hours.", + description = "{{$labels.alias}} is running out of available file descriptors in approx. 3 hours" + } + ALERT node_load1_90percent + IF node_load1 / on(alias) count(node_cpu{mode="system"}) by (alias) >= 0.9 + FOR 1h + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: Running on high load.", + description = "{{$labels.alias}} is running with > 90% total load for at least 1h." + } + ALERT node_cpu_util_90percent + IF 100 - (avg by (alias) (irate(node_cpu{mode="idle"}[5m])) * 100) >= 90 + FOR 1h + LABELS { + severity="page" + } + ANNOTATIONS { + summary = "{{$labels.alias}}: High CPU utilization.", + description = "{{$labels.alias}} has total CPU utilization over 90% for at least 1h." + } + ALERT node_ram_using_90percent + IF node_memory_MemFree + node_memory_Buffers + node_memory_Cached < node_memory_MemTotal * 0.1 + FOR 30m + LABELS { + severity="page" + } + ANNOTATIONS { + summary="{{$labels.alias}}: Using lots of RAM.", + description="{{$labels.alias}} is using at least 90% of its RAM for at least 30 minutes now.", + } + ALERT node_swap_using_80percent + IF node_memory_SwapTotal - (node_memory_SwapFree + node_memory_SwapCached) > node_memory_SwapTotal * 0.8 + FOR 10m + LABELS { + severity="page" + } + ANNOTATIONS { + summary="{{$labels.alias}}: Running out of swap soon.", + description="{{$labels.alias}} is using 80% of its swap space for at least 10 minutes now." + } + ALERT homeassistant = { + IF homeassistant_entity_available{domain="persistent_notification", entity!~"persistent_notification.http_login|persistent_notification.recorder_database_migration"} >= 0 + ANNOTATIONS { + description="homeassistant notification {{$labels.entity}} ({{$labels.friendly_name}}): {{$value}}" + } + + ALERT gitea + IF rate(promhttp_metric_handler_requests_total{job="gitea", code="500"}[5m]) > 3 + ANNOTATIONS { + description="{{$labels.instance}}: gitea instances error rate went up: {{$value}} errors in 5 minutes" + } + '' + ]; + scrapeConfigs = [ + { + job_name = "telegraf"; + scrape_interval = "60s"; + metrics_path = "/metrics"; + static_configs = [ + { + targets = [ + "web-01.cloonar.com:9273" + ]; + labels.host = "web-01.cloonar.com"; + } + { + targets = [ + "mail.cloonar.com:9273" + ]; + labels.host = "mail.cloonar.com"; + } + { + targets = [ + "git.cloonar.com:9273" + ]; + labels.host = "git.cloonar.com"; + } + { + targets = [ + "home-assistant.cloonar.com:9273" + ]; + labels.host = "home-assistant.cloonar.com"; + } + { + targets = map (host: "${host}.cloonar.com:9273") [ + "web-01" + "mail" + "git" + "home-assistant" + ]; + + labels.org = "cloonar"; + } + ]; + } + { + job_name = "homeassistant"; + scrape_interval = "60s"; + metrics_path = "/api/prometheus"; + + authorization.credentials_file = config.sops.secrets.hass-token.path; + + scheme = "https"; + static_configs = [ + { + targets = [ + "home-assistant.cloonar.com:443" + ]; + } + ]; + } + { + job_name = "gitea"; + scrape_interval = "60s"; + metrics_path = "/metrics"; + + scheme = "https"; + static_configs = [ + { + targets = [ + "git.cloonar.com:443" + ]; + } + ]; + } + ]; + }; + # services.prometheus.alertmanager = { + # enable = true; + # environmentFile = config.sops.secrets.alertmanager.path; + # webExternalUrl = "https://alertmanager.cloonar.com"; + # listenAddress = "[::1]"; + # configuration = { + # global = { + # # The smarthost and SMTP sender used for mail notifications. + # smtp_smarthost = "mail.cloonar.com:587"; + # smtp_from = "alertmanager@cloonar.com"; + # smtp_auth_username = "alertmanager@cloonar.com"; + # smtp_auth_password = "$SMTP_PASSWORD"; + # }; + # route = { + # receiver = "default"; + # routes = [ + # { + # group_by = [ "host" ]; + # match_re.org = "krebs"; + # group_wait = "5m"; + # group_interval = "5m"; + # repeat_interval = "4h"; + # receiver = "krebs"; + # } + # { + # group_by = [ "host" ]; + # match_re.org = "nix-community"; + # group_wait = "5m"; + # group_interval = "5m"; + # repeat_interval = "4h"; + # receiver = "nix-community"; + # } + # { + # group_by = [ "host" ]; + # match_re.org = "clan-lol"; + # group_wait = "5m"; + # group_interval = "5m"; + # repeat_interval = "4h"; + # receiver = "clan-lol"; + # } + # { + # group_by = [ "host" ]; + # group_wait = "30s"; + # group_interval = "2m"; + # repeat_interval = "2h"; + # receiver = "all"; + # } + # ]; + # }; + # receivers = [ + # { + # name = "krebs"; + # webhook_configs = [ + # { + # url = "http://127.0.0.1:9223/"; + # max_alerts = 5; + # } + # ]; + # } + # #{ + # # name = "numtide"; + # # slack_configs = [ + # # { + # # token = "$SLACK_TOKEN"; + # # api_url = "https://"; + # # } + # # ]; + # #} + # { + # name = "nix-community"; + # webhook_configs = [ + # { + # url = "http://localhost:9088/alert"; + # max_alerts = 5; + # } + # ]; + # } + # { + # name = "clan-lol"; + # webhook_configs = [ + # # TODO + # #{ + # # url = "http://localhost:4050/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U"; + # # max_alerts = 5; + # #} + # ]; + # } + # { + # name = "all"; + # pushover_configs = [ + # { + # user_key = "$PUSHOVER_USER_KEY"; + # token = "$PUSHOVER_TOKEN"; + # priority = "0"; + # } + # ]; + # } + # { + # name = "default"; + # } + # ]; + # }; + # }; + +} diff --git a/hosts/web-arm/modules/rustdesk.nix b/hosts/web-arm/modules/rustdesk.nix new file mode 100644 index 0000000..047aa1b --- /dev/null +++ b/hosts/web-arm/modules/rustdesk.nix @@ -0,0 +1,39 @@ +{ config, pkgs, ... }: + +{ + virtualisation = { + podman.enable = true; + oci-containers.containers = { + rustdesk-server = { + image = "rustdesk/rustdesk-server-s6:1"; + volumes = [ "/var/lib/rustdesk-server:/data" ]; + environment = { + RELAY = "rustdesk.cloonar.com:21117"; + }; + ports = [ + "21115:21115" + "21116:21116" + "21116:21116/udp" + "21118:21118" + "21117:21117" + "21119:21119" + ]; + }; + }; + }; + + users.users.rustdesk-server = { + isSystemUser = true; + group = "rustdesk-server"; + home = "/var/lib/rustdesk-server"; + createHome = true; + }; + users.groups.rustdesk-server = { }; + users.groups.docker.members = [ "rustdesk-server" ]; + + networking.firewall = { + enable = true; + allowedTCPPorts = [ 5000 21115 21116 21117 21118 21119 ]; + allowedUDPPorts = [ 21116 ]; + }; +} diff --git a/hosts/web-arm/modules/victoriametrics.nix b/hosts/web-arm/modules/victoriametrics.nix new file mode 100644 index 0000000..5e8857a --- /dev/null +++ b/hosts/web-arm/modules/victoriametrics.nix @@ -0,0 +1,43 @@ +{ config, ... }: +let + configure_prom = builtins.toFile "prometheus.yml" '' + scrape_configs: + - job_name: '${config.networking.hostName}' + stream_parse: true + static_configs: + - targets: + - 127.0.0.1:9100 + ''; +in { + services.prometheus.exporters.node.enable = true; + + sops.secrets.victoria-nginx-password.owner = "nginx"; + + services.victoriametrics = { + enable = true; + extraOptions = [ + "-promscrape.config=${configure_prom}" + ]; + }; + + services.nginx.virtualHosts."victoria-server.cloonar.com" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + locations."/" = { + proxyWebsockets = true; + extraConfig = '' + auth_basic "Victoria password"; + auth_basic_user_file ${config.sops.secrets.victoria-nginx-password.path}; + + proxy_read_timeout 1800s; + proxy_redirect off; + proxy_connect_timeout 1600s; + + access_log off; + proxy_pass http://127.0.0.1:8428; + ''; + }; + }; + +} diff --git a/hosts/web-arm/modules/web/stack.nix b/hosts/web-arm/modules/web/stack.nix new file mode 100644 index 0000000..e588cf3 --- /dev/null +++ b/hosts/web-arm/modules/web/stack.nix @@ -0,0 +1,328 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.webstack; + + instanceOpts = { name, ... }: + { + options = { + user = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc '' + User of the typo3 instance. Defaults to attribute name in instances. + ''; + example = "example.org"; + }; + + domain = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc '' + Domain of the typo3 instance. Defaults to attribute name in instances. + ''; + example = "example.org"; + }; + + domainAliases = mkOption { + type = types.listOf types.str; + default = []; + example = [ "www.example.org" "example.org" ]; + description = lib.mdDoc '' + Additional domains served by this typo3 instance. + ''; + }; + + phpPackage = mkOption { + type = types.package; + example = literalExpression "pkgs.php"; + description = lib.mdDoc '' + Which PHP package to use in this typo3 instance. + ''; + }; + + phpOptions = mkOption { + type = types.lines; + default = ""; + description = '' + "Options appended to the PHP configuration file {file}`php.ini` used for this PHP-FPM pool." + ''; + }; + + enableMysql = mkEnableOption (lib.mdDoc "MySQL Database"); + enableDefaultLocations = mkEnableOption (lib.mdDoc "Create default nginx location directives") // { default = true; }; + + authorizedKeys = mkOption { + type = types.listOf types.str; + default = null; + description = lib.mdDoc '' + Authorized keys for the typo3 instance ssh user. + ''; + }; + + extraConfig = mkOption { + type = types.lines; + default = '' + if (!-e $request_filename) { + rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last; + } + ''; + description = lib.mdDoc '' + These lines go to the end of the vhost verbatim. + ''; + }; + + locations = mkOption { + type = types.attrsOf (types.submodule (import { + inherit lib config; + })); + default = {}; + example = literalExpression '' + { + "/" = { + proxyPass = "http://localhost:3000"; + }; + }; + ''; + description = lib.mdDoc "Declarative location config"; + }; + + }; + }; +in + +{ + options.services.webstack = { + dataDir = mkOption { + type = types.path; + default = "/var/www"; + description = lib.mdDoc '' + The data directory for MySQL. + + ::: {.note} + If left as the default value of `/var/www` this directory will automatically be created before the web + server starts, otherwise you are responsible for ensuring the directory exists with appropriate ownership and permissions. + ::: + ''; + }; + + instances = mkOption { + type = types.attrsOf (types.submodule instanceOpts); + default = {}; + description = lib.mdDoc "Create vhosts for typo3"; + example = literalExpression '' + { + "typo3.example.com" = { + domain = "example.com"; + domainAliases = [ "www.example.com" ]; + phpPackage = pkgs.php81; + authorizedKeys = [ + "ssh-rsa AZA==" + ]; + }; + }; + ''; + }; + }; + + config = { + systemd.services = mapAttrs' (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + in + nameValuePair "phpfpm-${domain}" { + serviceConfig = { + ProtectHome = lib.mkForce "tmpfs"; + BindPaths = "BindPaths=/var/www/${domain}:/var/www/${domain}"; + }; + } + ) cfg.instances; + + services.phpfpm.pools = mapAttrs' (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in + nameValuePair domain { + user = user; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 5; + "php_admin_value[error_log]" = "syslog"; + "php_admin_value[max_execution_time]" = 240; + "php_admin_value[max_input_vars]" = 1500; + "access.log" = "/var/log/$pool.access.log"; + }; + phpOptions = instanceOpts.phpOptions; + phpPackage = instanceOpts.phpPackage; + phpEnv."PATH" = pkgs.lib.makeBinPath [ instanceOpts.phpPackage ]; + } + ) cfg.instances; + + }; + + + config.services.nginx.virtualHosts = mapAttrs' (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in + nameValuePair domain { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = cfg.dataDir + "/" + domain + "/public"; + + locations = lib.mkMerge [ + instanceOpts.locations + (mkIf instanceOpts.enableDefaultLocations { + "/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + # Cache.appcache, your document html and data + "~* \\.(?:manifest|appcache|html?|xml|json)$".extraConfig = '' + expires -1; + # access_log logs/static.log; # I don't usually include a static log + ''; + + "~* \\.(jpe?g|png)$".extraConfig = '' + set $red Z; + + if ($http_accept ~* "webp") { + set $red A; + } + + if (-f $document_root/webp/$request_uri.webp) { + set $red "''${red}B"; + } + + if ($red = "AB") { + add_header Vary Accept; + rewrite ^ /webp/$request_uri.webp; + } + ''; + + # Cache Media: images, icons, video, audio, HTC + "~* \\.(?:jpg|jpeg|gif|png|webp|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|woff2)$".extraConfig = '' + expires 1y; + access_log off; + add_header Cache-Control "public"; + ''; + + # Feed + "~* \\.(?:rss|atom)$".extraConfig = '' + expires 1h; + add_header Cache-Control "public"; + ''; + + # Cache CSS, Javascript, Images, Icons, Video, Audio, HTC, Fonts + "~* \\.(?:css|js|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|woff2)$".extraConfig = '' + expires 1y; + access_log off; + add_header Cache-Control "public"; + ''; + + "/".extraConfig = '' + index index.php index.html; + try_files $uri $uri/ /index.php$is_args$args; + ''; + }) + { + "~ [^/]\\.php(/|$)".extraConfig = '' + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_buffer_size 32k; + fastcgi_buffers 8 16k; + fastcgi_connect_timeout 240s; + fastcgi_read_timeout 240s; + fastcgi_send_timeout 240s; + fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket}; + fastcgi_index index.php; + ''; + } + ]; + + extraConfig = instanceOpts.extraConfig; + + + # locations = mapAttrs' (location: locationOpts: + # nameValuePair location locationOpts) instanceOpts.locations; + + } + ) cfg.instances; + + config.users.users = mapAttrs' (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in + nameValuePair user { + isNormalUser = true; + createHome = true; + home = "/var/www/" + domain; + homeMode= "770"; + group = config.services.nginx.group; + openssh.authorizedKeys.keys = instanceOpts.authorizedKeys; + } + ) cfg.instances; +config.users.groups = mapAttrs' (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in nameValuePair user {}) cfg.instances; + + config.services.mysql.ensureUsers = mapAttrsToList (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in + mkIf instanceOpts.enableMysql { + name = user; + ensurePermissions = { + "${user}.*" = "ALL PRIVILEGES"; + }; + }) cfg.instances; + + config.services.mysql.ensureDatabases = mapAttrsToList (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in + mkIf instanceOpts.enableMysql user + ) cfg.instances; + config.services.mysqlBackup.databases = mapAttrsToList (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in + mkIf instanceOpts.enableMysql user + ) cfg.instances; +} + diff --git a/hosts/web-arm/modules/web/typo3.nix b/hosts/web-arm/modules/web/typo3.nix new file mode 100644 index 0000000..e564382 --- /dev/null +++ b/hosts/web-arm/modules/web/typo3.nix @@ -0,0 +1,445 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.services.typo3; + + instanceOpts = { name, ... }: + { + options = { + user = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc '' + User of the typo3 instance. Defaults to attribute name in instances. + ''; + example = "example.org"; + }; + + domain = mkOption { + type = types.nullOr types.str; + default = null; + description = lib.mdDoc '' + Domain of the typo3 instance. Defaults to attribute name in instances. + ''; + example = "example.org"; + }; + + domainAliases = mkOption { + type = types.listOf types.str; + default = []; + example = [ "www.example.org" "example.org" ]; + description = lib.mdDoc '' + Additional domains served by this typo3 instance. + ''; + }; + + phpPackage = mkOption { + type = types.package; + example = literalExpression "pkgs.php"; + description = lib.mdDoc '' + Which PHP package to use in this typo3 instance. + ''; + }; + + authorizedKeys = mkOption { + type = types.listOf types.str; + default = null; + description = lib.mdDoc '' + Authorized keys for the typo3 instance ssh user. + ''; + }; + }; + }; +in + +{ + options.services.typo3 = { + dataDir = mkOption { + type = types.path; + default = "/var/www"; + description = lib.mdDoc '' + The data directory for MySQL. + + ::: {.note} + If left as the default value of `/var/www` this directory will automatically be created before the web + server starts, otherwise you are responsible for ensuring the directory exists with appropriate ownership and permissions. + ::: + ''; + }; + + instances = mkOption { + type = types.attrsOf (types.submodule instanceOpts); + default = {}; + description = lib.mdDoc "Create vhosts for typo3"; + example = literalExpression '' + { + "typo3.example.com" = { + domain = "example.com"; + domainAliases = [ "www.example.com" ]; + phpPackage = pkgs.php82; + authorizedKeys = [ + "ssh-rsa AZA==" + ]; + }; + }; + ''; + }; + }; + + config = { + # systemd.services = mapAttrs' (instance: instanceOpts: + # let + # domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + # in + # nameValuePair "phpfpm-${domain}" { + # serviceConfig = { + # ProtectHome = lib.mkForce "tmpfs"; + # BindPaths = "BindPaths=/var/www/${domain}:/var/www/${domain}"; + # }; + # } + # ) cfg.instances; + + systemd.timers = mapAttrs' (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in + nameValuePair ("typo3-cron-" + domain) { + wantedBy = [ "timers.target" ]; + timerConfig = { + OnCalendar = "05:00"; + Unit = "typo3-cron-" + domain + ".service"; + }; + } + ) cfg.instances; + systemd.services = mapAttrs' (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in + nameValuePair ("typo3-cron-" + domain) { + script = '' + set -eu + ${instanceOpts.phpPackage}/bin/php /var/www/${domain}/.Build/bin/typo3 scheduler:run + ${instanceOpts.phpPackage}/bin/php /var/www/${domain}/.Build/bin/typo3 ke_search:indexing + ''; + serviceConfig = { + Type = "oneshot"; + User = user; + }; + } + ) cfg.instances; + + services.phpfpm.pools = mapAttrs' (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in + nameValuePair domain { + user = user; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 5; + "php_admin_value[error_log]" = "syslog"; + "php_admin_value[max_execution_time]" = 240; + "php_admin_value[max_input_vars]" = 1500; + "php_admin_value[upload_max_filesize]" = "256M"; + "php_admin_value[post_max_size]" = "256M"; + "access.log" = "/var/log/$pool.access.log"; + }; + phpOptions = '' + opcache.enable=1 + opcache.memory_consumption=128 + opcache.validate_timestamps=0 + opcache.revalidate_path=0 + ''; + phpPackage = instanceOpts.phpPackage; + phpEnv."PATH" = pkgs.lib.makeBinPath [ instanceOpts.phpPackage ]; + } + ) cfg.instances; + + }; + + + config.services.nginx.virtualHosts = mapAttrs' (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in + nameValuePair domain { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = cfg.dataDir + "/" + domain + "/public"; + serverAliases = instanceOpts.domainAliases; + + extraConfig = '' + if (!-e $request_filename) { + rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last; + } + + # Virtual endpoint created by nginx to forward auth requests. + location /authelia { + internal; + set $upstream_authelia http://127.0.0.1:9091/api/verify; + proxy_pass_request_body off; + proxy_pass $upstream_authelia; + proxy_set_header Content-Length ""; + + # Timeout if the real server is dead + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + + # [REQUIRED] Needed by Authelia to check authorizations of the resource. + # Provide either X-Original-URL and X-Forwarded-Proto or + # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both. + # Those headers will be used by Authelia to deduce the target url of the user. + # Basic Proxy Config + client_body_buffer_size 128k; + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 4 32k; + + # Advanced Proxy Config + send_timeout 5m; + proxy_read_timeout 240; + proxy_send_timeout 240; + proxy_connect_timeout 240; + } + ''; + + # locations."/typo3/login" = { + # extraConfig = '' + # # Basic Authelia Config + # # Send a subsequent request to Authelia to verify if the user is authenticated + # # and has the right permissions to access the resource. + # auth_request /authelia; + # # Set the `target_url` variable based on the request. It will be used to build the portal + # # URL with the correct redirection parameter. + # auth_request_set $target_url $scheme://$http_host$request_uri; + # # Set the X-Forwarded-User and X-Forwarded-Groups with the headers + # # returned by Authelia for the backends which can consume them. + # # This is not safe, as the backend must make sure that they come from the + # # proxy. In the future, it's gonna be safe to just use OAuth. + # auth_request_set $user $upstream_http_remote_user; + # auth_request_set $groups $upstream_http_remote_groups; + # auth_request_set $name $upstream_http_remote_name; + # auth_request_set $email $upstream_http_remote_email; + # proxy_set_header Remote-User $user; + # proxy_set_header Remote-Groups $groups; + # proxy_set_header Remote-Name $name; + # proxy_set_header Remote-Email $email; + # # If Authelia returns 401, then nginx redirects the user to the login portal. + # # If it returns 200, then the request pass through to the backend. + # # For other type of errors, nginx will handle them as usual. + # error_page 401 =302 https://auth.cloonar.com/?rd=$target_url; + # + # fastcgi_param REMOTE_USER $user; + # + # include ${pkgs.nginx}/conf/fastcgi.conf; + # fastcgi_buffer_size 32k; + # fastcgi_buffers 8 16k; + # fastcgi_connect_timeout 240s; + # fastcgi_read_timeout 240s; + # fastcgi_send_timeout 240s; + # fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket}; + # fastcgi_param SCRIPT_FILENAME ${cfg.dataDir}/${domain}/public/typo3/index.php; + # ''; + # }; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + # TYPO3 - Block access to composer files + locations."~* composer\\.(?:json|lock)".extraConfig = '' + deny all; + ''; + + + # TYPO3 - Block access to flexform files + locations."~* flexform[^.]*\\.xml".extraConfig = '' + deny all; + ''; + + # TYPO3 - Block access to language files + locations."~* locallang[^.]*\\.(?:xml|xlf)$".extraConfig = '' + deny all; + ''; + + # TYPO3 - Block access to static typoscript files + locations."~* ext_conf_template\\.txt|ext_typoscript_constants\\.txt|ext_typoscript_setup\\.txt".extraConfig = '' + deny all; + ''; + + # TYPO3 - Block access to miscellaneous protected files + locations."~* /.*\\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|tsconfig|dist|fla|in[ci]|log|sh|sql|sqlite)$".extraConfig = '' + deny all; + ''; + # locations."~* /.*\.(?:bak|cfg|co?nf|ya?ml|ts)$".extraConfig = '' + # deny all; + # ''; + + # TYPO3 - Block access to recycler and temporary directories + locations."~ _(?:recycler|temp)_/".extraConfig = '' + deny all; + ''; + + # TYPO3 - Block access to configuration files stored in fileadmin + locations."~ fileadmin/(?:templates)/.*\\.(?:txt|ts|typoscript)$".extraConfig = '' + deny all; + ''; + + + # TYPO3 - Block access to libraries, source and temporary compiled data + locations."~ ^(?:vendor|typo3_src|typo3temp/var)".extraConfig = '' + deny all; + ''; + + + # TYPO3 - Block access to protected extension directories + locations."~ (?:typo3conf/ext|typo3/sysext|typo3/ext)/[^/]+/(?:Configuration|Resources/Private|Tests?|Documentation|docs?)/".extraConfig = '' + deny all; + ''; + + # Cache.appcache, your document html and data + locations."~* \\.(?:manifest|appcache|html?|xml|json)$".extraConfig = '' + expires -1; + # access_log logs/static.log; # I don't usually include a static log + ''; + + # Cache Media: images, icons, video, audio, HTC + locations."~* \\.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|woff2)$".extraConfig = '' + expires 1y; + access_log off; + add_header Cache-Control "public"; + ''; + + # Feed + locations."~* \\.(?:rss|atom)$".extraConfig = '' + expires 1h; + add_header Cache-Control "public"; + ''; + + # Cache CSS, Javascript, Images, Icons, Video, Audio, HTC, Fonts + locations."~* \\.(?:css|js|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|woff2)$".extraConfig = '' + expires 1y; + access_log off; + add_header Cache-Control "public"; + ''; + + locations."/".extraConfig = '' + index index.php index.html; + try_files $uri $uri/ /index.php$is_args$args; + ''; + + # TYPO3 Backend URLs + locations."/typo3$".extraConfig = '' + rewrite ^ /typo3/; + ''; + + locations."/typo3/".extraConfig = '' + try_files $uri /typo3/index.php$is_args$args; + ''; + + locations."~ [^/]\\.php(/|$)".extraConfig = '' + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_buffer_size 32k; + fastcgi_buffers 8 16k; + fastcgi_connect_timeout 240s; + fastcgi_read_timeout 240s; + fastcgi_send_timeout 240s; + fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket}; + fastcgi_index index.php; + ''; + } + ) cfg.instances; + + config.users.users = mapAttrs' (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in + nameValuePair user { + isNormalUser = true; + createHome = true; + home = "/var/www/" + domain; + homeMode= "770"; + group = config.services.nginx.group; + openssh.authorizedKeys.keys = instanceOpts.authorizedKeys; + } + ) cfg.instances; + config.users.groups = mapAttrs' (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in nameValuePair user {}) cfg.instances; + + config.services.mysql.ensureUsers = mapAttrsToList (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in + { + name = user; + ensurePermissions = { + "${user}.*" = "ALL PRIVILEGES"; + }; + }) cfg.instances; + + config.services.mysql.ensureDatabases = mapAttrsToList (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in + user + ) cfg.instances; + config.services.mysqlBackup.databases = mapAttrsToList (instance: instanceOpts: + let + domain = if instanceOpts.domain != null then instanceOpts.domain else instance; + user = if instanceOpts.user != null + then instanceOps.user + else builtins.replaceStrings ["." "-"] ["_" "_"] domain; + in + user + ) cfg.instances; +} diff --git a/hosts/web-arm/modules/zammad/default.nix b/hosts/web-arm/modules/zammad/default.nix new file mode 100644 index 0000000..43ea290 --- /dev/null +++ b/hosts/web-arm/modules/zammad/default.nix @@ -0,0 +1,117 @@ +{ config, pkgs, ... }: + +{ + services.zammad = { + enable = true; + port = 3010; + secretKeyBaseFile = config.sops.secrets.zammad-key-base.path; + database = { + createLocally = true; + }; + }; + + services.nginx.enable = true; + services.nginx.virtualHosts."support.cloonar.com" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + + extraConfig = '' + # Virtual endpoint created by nginx to forward auth requests. + location /authelia { + internal; + set $upstream_authelia http://127.0.0.1:9091/api/verify; + proxy_pass_request_body off; + proxy_pass $upstream_authelia; + proxy_set_header Content-Length ""; + + # Timeout if the real server is dead + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; + + # [REQUIRED] Needed by Authelia to check authorizations of the resource. + # Provide either X-Original-URL and X-Forwarded-Proto or + # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both. + # Those headers will be used by Authelia to deduce the target url of the user. + # Basic Proxy Config + client_body_buffer_size 128k; + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-Uri $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_set_header Connection ""; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 4 32k; + + # Advanced Proxy Config + send_timeout 5m; + proxy_read_timeout 240; + proxy_send_timeout 240; + proxy_connect_timeout 240; + } + ''; + + locations."/" = { + proxyPass = "http://127.0.0.1:3010"; + proxyWebsockets = true; + extraConfig = + "proxy_connect_timeout 300;" + + "proxy_send_timeout 300;" + + "proxy_read_timeout 300;" + + "send_timeout 300;" + ; + }; + locations."/auth/sso" = { + proxyPass = "http://127.0.0.1:3010"; + proxyWebsockets = true; + + extraConfig = '' + # Basic Authelia Config + # Send a subsequent request to Authelia to verify if the user is authenticated + # and has the right permissions to access the resource. + auth_request /authelia; + # Set the `target_url` variable based on the request. It will be used to build the portal + # URL with the correct redirection parameter. + auth_request_set $target_url $scheme://$http_host$request_uri; + # Set the X-Forwarded-User and X-Forwarded-Groups with the headers + # returned by Authelia for the backends which can consume them. + # This is not safe, as the backend must make sure that they come from the + # proxy. In the future, it's gonna be safe to just use OAuth. + auth_request_set $user $upstream_http_remote_user; + auth_request_set $groups $upstream_http_remote_groups; + auth_request_set $name $upstream_http_remote_name; + auth_request_set $email $upstream_http_remote_email; + proxy_set_header Remote-User $user; + proxy_set_header Remote-Groups $groups; + proxy_set_header Remote-Name $name; + proxy_set_header Remote-Email $email; + # If Authelia returns 401, then nginx redirects the user to the login portal. + # If it returns 200, then the request pass through to the backend. + # For other type of errors, nginx will handle them as usual. + error_page 401 =302 https://auth.cloonar.com/?rd=$target_url; + ''; + }; + locations."/ws" = { + proxyPass = "http://127.0.0.1:6042"; + proxyWebsockets = true; + extraConfig = + "proxy_read_timeout 86400;" + + "send_timeout 300;" + ; + }; + }; + + sops.secrets = { + zammad-db-password.sopsFile = ./secrets.yaml; + zammad-key-base.owner = "zammad"; + }; + + services.postgresqlBackup.enable = true; + services.postgresqlBackup.databases = [ "zammad" ]; +} diff --git a/hosts/web-arm/modules/zammad/secrets.yaml b/hosts/web-arm/modules/zammad/secrets.yaml new file mode 100644 index 0000000..7d5ceb0 --- /dev/null +++ b/hosts/web-arm/modules/zammad/secrets.yaml @@ -0,0 +1,40 @@ +zammad-db-password: ENC[AES256_GCM,data:FFsTnwQcL8V1ZWvZ9a15FWcHnsrC7nuDW155reSmfg/IRhRfrtnvbCDQ0N3AMh7TBiyG3x5za/6orV04CplUgQ==,iv:inQXkwlTbGaKgU3nfOtIYMcheBdGv8xa7dCad8WrGEc=,tag:fxjNRCUpS6RMipk4D08new==,type:str] +zammad-key-base: ENC[AES256_GCM,data:z2v1GrjRFoaDY9tPaAsUJPVRHZhSOrXWCZhhm5E6rmH4s6QWU1EW7aY4PPgditdcathLRWkDlBT5c3SQ8Cd2DPLp/SVn9Xd8w8g/lrplhNC2sJXUyB+CUgdEnBBN0XPMsFWNx9EIrqGrF/A8js5eKtQON9fCNytaHMOsCCc0rNE=,iv:oHKiXE9U0h846XVpCrcD/dFJ1MAXCYrnM80CwaWgALc=,tag:W88DsRWvdudMscH+UBPy/Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUc0RlQUt4VHU1eWZrdlF5 + UFhjSU5TWFlGbTIwbzVlaStHaWRTdS92d0YwCkJQRlh0eWVNRW9SdUFXQUZzNFYw + dktoSmFqbWxDbXR0dDNTNy8zTHYwQUEKLS0tIFFwQkdvK2QvSmFGaVRBaVFMeEFi + YUZ6b1dzUGZkL2t4aU5tTjA4UC9KU3cKmhugvvIexQqpVtGp7aLKU7WSQNxk0cTO + +8MWF1v0mztJlGbiWk5OOzT9L8TO7GDGXfi8GyMVgVBvaA7tFF709w== + -----END AGE ENCRYPTED FILE----- + - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZGRWbnVxVUdHWndEanlk + Wmp4WS8yUjdrVSsxTHFNcjFUWm5IZytaZVRzCmorZTJRSnBRTE5qK2xiZGtYNXZH + RjBDdWE5NjE3ZWtXRU5Fc2FaVFkzNUEKLS0tIGwvUjVBL2NpdTFsY04zbktJRGxF + QWo1Vm56dnZWQ2l1K3hzVlZDL3BaTHMKw9CjtbS9hyW42prUhlTIcmcb4Z6OaxRr + T7RJZxXefEr4myJYI5B3pqbXlBpSLLwS4lgtoqHmmYuSNjL8/xoksw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBicStLZGZvdGJyMyszMkFo + S2xTeUM5ZEIrbUxqbXBxQTUyeHhJVTAzUm40Ck5KbngvdWYvVk5VYTRCUWhZeFkw + eFJKVEZ3VnpuL3BmOFVQdCs2K3hoTUUKLS0tIEhFRXZyRlpPZUpEanFMU1oweVJ2 + RVJjc0FUb0NFMHk2M3gxTmhMYjlrTDgKR0tfq1CWU8OdeeigOsKqNx2sszVtPWjH + yXcqe/jLAnvS/Ut/afEyfGYEiyyzJXLp9TGjV1fAp9y2K2noD8/TwQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-11-29T10:54:56Z" + mac: ENC[AES256_GCM,data:OX49RTucGWdH1RkbXfkiMLH2Lj65v554WSfJxkCkIu/dFagCH90QSRiX/15HTsI//ffwKVurDivC6H6OByK2eWdaeCYTEn2029GjdL4RhJhXy0RLXEq5D/KVRu73O9Xe6M36asc/OenzPcmbHAvddD14y9vaOsVTL0H15ydVrwg=,iv:+uBt1Mvj+WMM4CvAOwmOXhZJVZBXVDCXA8iSXpdjktU=,tag:AeipsBJ8PA22OfUxXA8bIA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/hosts/web-arm/secrets.yaml b/hosts/web-arm/secrets.yaml new file mode 100644 index 0000000..1af411b --- /dev/null +++ b/hosts/web-arm/secrets.yaml @@ -0,0 +1,50 @@ +borg-passphrase: ENC[AES256_GCM,data:V77hfP5jk/DXcvRiZKu6RLAqsJhlIelkQwA6ClYJKNmMtvAXG+g6794YJ+ooof1h8qcnMoctEWMUcsBetjaguA==,iv:OyJF/dftfEaGUnmbzrcn0P0tvnUZX4l6Vk0Qf0NwwfE=,tag:AAkRMD+jq01BPq2LSYPQGA==,type:str] +borg-ssh-key: ENC[AES256_GCM,data:7F7uUlTP3ZKkpySj6/AGfH3K1/8/GzIdfp+ch1hU55zX51KgRs/KuGmj+yKyH9ua41oR4FR94MoiTb3u3MRpUj6dqO4VjVm6fRgJFNXOBhTUcelRR98Nq2QClkRqcNmPiHQC4bxjyW9C1tZfCA52AIILGh9O1Q9XnYAz2q8JwbrY+eTXS/U/1Fh1D+0Y9q1n+oingehal2huHzeVsLxFlip3TmGJx8QBlnAbANABKrMFxkHAlkvAVCrF1MULzeDeeWscHi5T80OvJfOZBSonNEZosw6QJVscMYxh047Yyl6YJ/sxIJjZjC7GiLuG/FC0FCLKRhD8PkZFjrDt/6xwrqePxIb7yIKZRpsvNVCplDDdVOB/V0AqRWAeZh3z813Zi+tnjynHPYaphso/qY2r/HZKlGInzW+QCUBdPVifhVL+y2TKytCWcp4A+c/3Dc2Ut59sfO+hqE946nYGl2S+kpNASHhBa7o6cnaMtfz8NT6rVtYN/3l1snlxeOUZo85XAuYCIerGsMkdVENg5RIJwIzwM0oaGwNzruq8cul5MfAf8hFMXpoLggYECynHk9TNdhsNtUzmsS9cXAyPnnzZT6HGI2/5cgU1weCHbbXAq+ZU9WZwOT41Fpwda/WrNJuMJYFCOFer2hcSLEyxsCfqmPSdwpYRRSYHiaCuVghV6lWyi1IVV5EsX9H6hD+Uetux1SEN95ga8edME16W2dubA0yukcOq+XHI7PMEHAs20H+dybsmVx1XjIsiV/XBWkrooFBXQp950p93XOK49vwNmHNohhCvmERkH0dczGQ5vTAMXwIYqydTqXWERDRzJVvK+pbzKiecEzhFHFge345poUKQS7BWNsv+eehgBAH4HEddtzzzjcPGYMHAhafAm1VqO2BvKg2r3XnzElUCjxWlGfrMkU+LhIgAjom8Mk9+Kha+OD84+iZnuoq73TjpqaUgC0TbkxLAm0DPgk8LsLE9XfJaroftKnrE7P7kyNGSQZfGYcl7ssLck5LJA07dTvDtytlL1Kk8RJe4FwFNPLtdiAnCVvKBe0kcClvCWrrxRt1QT85b+9IwG1yhRxlxheleePX1Fwlg/d2xj6AB3Cz7kAVO2phGPAF16Ke/UQeMxhbOIcy20g7RoiCpfx9jvdwExhDmbmUR7cleL1seFH+wgAM6uQwh80+q8IDJWPNyeXOwiA2siPwexb20xN+n1kIMa03U5Bn+lBqYoh0xXhlDHP3FiKew6xjSducNUtzyKm24kQaWSOfYIqTxYFRTI0bDgRu6xWGmZL37VSMWqDj3TIWOMBoLy0JBsRl6Jj07keJ0CwaNEa4cCWZ0s6nu49mp04JfJWF2r9ksX+2OVeDjSgX5JBB/V79j3I8iu4Nlp0pjyBKPlST/FUDAl1jT12X1grkYjXO8UyJ9AQqqnqK5lM+KYVR15Ui1lBb/vISPqiiw45bcUyHfVAAt7hcFpYLaYB0om3mernccN2fi26lawhhambRd7FGkILKA3byE9ytqGvDQ2CxtjA30kbGxeqXVFsyzROahR0c3KdKlnuCO9Uar4J5VEXgv2obNlNUfSMa9uleWDuhveBaE+2jtKUJd2P4wIIzF/VJGxgWGSge/ji0EV36EFfMg/Tyizdw5wtv4rQF0M+Uu6j/n/l62SmHnT/30H8IFCFuXWmtEo1xcssMymY4ricU3kJIgjGO9h+DrBP1GBczj7yVjLHTpEhRF0yP790xgsJrP4IQB2lOtGf5MCXLrBDYkOZ5xM3+Rq5ZNH0SAHRU/qtFUmLtfkcidjkPiwdqJ0e1LUtLwmSlsot1CkPs7hKORassyUrug7dCtv9QjRMDbtW61PlIbXqa59Aimql4IUcWyUybx12E8wRqmgcX5kG2wGfd9ZFUj6mXhQINFqChsTjXSavQw3u3m8kvd1mJXfjKS12ajr2X1e5wPDUEpLzc3wTOvVgZizGeykKTcKG+GXSjPXLR61ueAO26rboYiDAeSd73shFX/vvut/aB47kZobMOooljGVtnfZjVGY8dWzdNeGvBeLws7vnFrH1u/WXPxpktGz2/eJ0L8ANJd+BZ2+wC+R3OnHeDiXHfofm3dZJTncgxYPqboKKCXRzMviSCWB3poQTm5vEltsQOR6Lj17UmHu5MX7os7t7TrfW/op4Qko9ViWT5vtrUrCZzVqJS+d8hq4lm6ANMhi3Ql+nIMIxK+hjGZNBuKZEyKY+r+Lhz9E/xdOBGVB8QH4g32DWsYvaHfpcvJC8CkGO1nRIGFyrMc10lrv++XQYtiZ1Z4a0oOtQGAXaPGQTJB4KzwlGWc0+kguV+lK4h0QIvHvuorghYC4EJerNdRUviRxZB5mTDyJc1gGq6YgMr4d/a4tyXwoEzPbPGc/3YJATZPYLXOMaGDo0rd2961CFfrsneElNIZ71DWoy41P1fJG7qrfN0gLjU0aSC1vVnzDM8GQvoJGV35cONT7N7u+hjjFBFciLBNEE1DKge156EnP6VbR2LSptWrHeq3zOe9fN3FFR1WWor+lOl+SFztt7uVHCLuWxYPV+csOeBLQi6OhFnh9r4mLTc43wjPkbuci2jqEVM6Bf5gXQoEGzybhDb/3HfQK00NXovru5uEdREYDaj5NVyzyBhOT29JuOvqX7wEMNDqE//Me6Tx8bU12cuUM7Lne7grgYQMbYfLs3gKzRbeuYCqGCIz6KQMDOZvTR38EXqJxysrPb/HuiPfoSGHoAIHviJeIsy6bF7hKA8BikrMmoNc4762pKNKNzBGR+/HeQ1trDBCbYrTmlqoXPJaeANUZlD9NdwiopTJCBzjP/F61s5bpurAiJF6Ymx5yUHljZGVPFOH/ZawfhEcfYGvMUnAOup+EJCih5WQsrn2vodbVYFJ5GNMrDH9//uMi/cwqFWlBqnKGgnGdyqzXlLYTTMlv7fuh3XxkjRRTh6ZVuLyBqEBnXzSWwlcLOUdw3r/48JJ0JC2/rTLVnb+R7T2/+7uXVQISIrBx1ijtRCzFwaFWAPqsL+nMevAHnjpWl9NvanNWKIPIQ6cHGywxdi/7ynEnCYlY13fyIpagFKrgywsHcHuez8cyNtGLpg6hwbSEeN2wZYld+DQc5UH9pqPvvTuNHu3J62WJHZlkc6yBs/hiZBT/sEZUrL2Bf3SNFjzt/IcNSjlVbpP6dd6HpIH6tuN+lQJNypRe//TgKviHBkN0mzmw7IuRIDz1tcVA28COCo8NkzyD194zxDJ8yYKfKH/YwN5q8/R/r/EuUcY4qbeAokaS7XcIkOp/QFKHVM6AYKZ3SPyB5ZjkHFoHBG7YNDrx8AHDNemG+WUev/flmsEv3ykgTztgOoCmTqH/rduS+BGcKwsNW0iMwni9mUiJfuNdYLqhWohGLWb/mkUVoTgycXtsJ8x5BGkk4wSuGSwGCur8yVel7+Fr6CzsVGiPJOa0RHO6sN+Y9jnSMPIVm+mx16j3Q==,iv:ZGV3C0nvqdEnukiPkeMxDD66OjeXQF4anQLkALmBno8=,tag:ELar6NeP5bjL5L/Z5m7Piw==,type:str] +bitwarden-admin-token: ENC[AES256_GCM,data:WWkkhaSwJA423FSeSoEmssACB6qjyM2usKFQhGqzP+es5bIbr4SxpC1vhWHoS3om+OndVsWzQe4NZ9bNvWAefw==,iv:S/JBDXLZDaCG6EvFigIdSv6GvmFAL8w0BJZFYoGgkl8=,tag:bc7bjJUlcyHEsO3AEd4sxQ==,type:str] +bitwarden-db-password: ENC[AES256_GCM,data:ues1754DstLekOtmjbi1LgpA4nV+4i9xUcUH05xPQSa1osvig1prh3JVnyYxJpy2zOqeRF0adZuRyb7/P/SLpA==,iv:AZG8FGPrcgfgNCtYjCVvIEHI3bkIjWVf82QRJ+qQdRA=,tag:IHnlKpWdyAjrgrzYaJtYiA==,type:str] +bitwarden-ldap-password: ENC[AES256_GCM,data:gz8ntl7mwA9f2I8LjTR2lBky7J3xYYTyQwXBrunF8/6eEgAme0zxeA5u3DTUrQ4BNfUqPfxHOIX38IxiLKRyzg==,iv:5J+KIER7R+93wdaiK7FAfS5+m8qFDruyTYh2a3n6PIg=,tag:dsT7s2TKWKcwgl3yOE3I5g==,type:str] +bitwarden-smtp-password: ENC[AES256_GCM,data:og0n7HJhplyAUDY45iuKtjnOOwmW9wD2UUwrt7/Mf/DgWbhLiYJH/NVPiUhSERMimZjTkjuHHp3bNGiIPRojX0ukJTbfiX01/BipDon1TVleLNq/tYB+VjL9KDoYi5Og5gg2ZG0DfXu8IKYshF0UD9gpYHmmxDWlZ+ZTi19cDKkiVErj44ov3Bia7hs22FHqg2J946PmWJbWDTuYKRqyynAoOtfwmrSXVW+Q+xmHNYIfOiNHo/33V1xj0Ldl49g3ry3nFBP9OGnPKOOYmekv14ehJ4eixDuZQT9gpU5m2zdHRAcapW3T8TGZIibOGlMeYRbPzBoISOr+q419bsAuB90lzpGLZfkvriHxuxtpGSg=,iv:WTvc7i4hrDi5aSc+PCL+gTuf4KKZehwk6WfgXumnRPE=,tag:TOHJsAJi2t6L9ahrikS67Q==,type:str] +authelia-jwt-secret: ENC[AES256_GCM,data:sr3+B5UPtPsAYq8Dwqrbb/hXKuY49nWKhkQ11DGfSSgdIEOnDHP7jnyDCB1Mt536djovmrl1AlOG6/JKyxvakQ==,iv:r/LtU4sef4bwSY+T9TFccZq+bKrcdZ/lPsY9QInQ3xk=,tag:GNC4kVLRuxxShLwIPGKZmg==,type:str] +authelia-backend-ldap-password: ENC[AES256_GCM,data:36qJ5r/ddjgxzq82/EkvYVM8VAKoHpNUbIKlimm7eABk2FkEw+U/7h5ZLjFPmKtKkbOUSI7R48xY0cKkodKwuA==,iv:jG0rXAX8Yi2okp1Y6ZSiGgSSAVFJakKEI781EpVgOLc=,tag:cPd4wmAaF81KbVsnmIy+NQ==,type:str] +authelia-storage-encryption-key: ENC[AES256_GCM,data:A0w+CuVEUZZruXYbPiM3Mv7DcsXlu0+PvzLUS0oX71YAX7jnYBrJBFQ+sg7Y19JhQOvugCn2VJoSkcXErPq7Fg==,iv:p90bnFfoXOVEZ+BalN+Qs6PMWG8cIAqHE8jGQAaJAJU=,tag:1yp9z6UyrasKPYHHTRyHlA==,type:str] +authelia-session-secret: ENC[AES256_GCM,data:/x+cq/QsYyev30mnFiWSd1N+WCKBI4zgAczEfv9TVO1M3NHECv7J1qI3Lw1OBmBki2yIaXeNTKvsoPy1jscYqA==,iv:yjy0Gp9XDl9ePhWk3X7ATVlAO6j0wxrwddBJ06zxP6A=,tag:vXo7+TwfEIpRipDleM1Ztw==,type:str] +authelia-identity-providers-oidc-hmac-secret: ENC[AES256_GCM,data:LWLWRJqhL3qA5w53KVVB1vPUgSVhWrnoaVvD2kqIXmfZXduqj3HYRyWnGuhBsJOrVtw9gX10VT9zADkZtuYjihMEgRF4h6BWhg/nmt2l3ancAkcnn+wkzGhfY/MWwRU74j3DFN4fNMgBRXpv54tzEzoSy5kN3VriYp8f80OsEtM=,iv:V1bzLRB4/Hg+wm/YAoPRVUkAzzRiKZPnBYWVtJ47qN0=,tag:jjgB/Ja2+A7pkASl1+dGRQ==,type:str] +authelia-identity-providers-oidc-issuer-certificate-chain: ENC[AES256_GCM,data:gS6YDrngIePu4Uzio/y5JiJYDOJB+HWUlPgoP1jryvsPstfsw7YiksOYENn+ZgbSvjbk0VISSbGo+UH89r441+XBiCPqIVMLPAuSRnyEkVfG2RCSH9zF+SzrpGQreeg0q1TDDJF3YKoVotDKiq5qbagcd11VoNmbilCsrsjSV5wYdBQ3ahRm+283OBF3Coq5XcuF0mwpLuiDLsd9hEmPtaNlb/vd1c5bVMpgSEbPAG5RHaYJIr2zjt5HLNtZbldUbm4QWn4MZnvLHjtcZesTBpC7nvsKR65KJFBNDv7Ymdv3EODxo8J/RJrKVUaS09MfsW1wKIis3n3e+CSfTasRaFGlx1xC5o9b41+6BH18/+rchqivSUWnSikb4SNtKIFZTm9TklhVORWFgDrhthau5bluBGeUDdTOfuro0/bvIw8oKPsCoP5aXEzJDGugJRGCTAgI+qXBBSsLaTRlbDCQKcOozy0OQw7NvZGctOcQNvDzJfVkAPMc2Pph5ItaTWYh3MK9bEqmtCTtp7d/dWdSGjUly4EjhihxXdhbNX+BcaDdziZ/zQuxoTyKMdphAM65yYuAPyq35JnX37Z1i1Zis6lODZA9jxdUki8HTacNCh3Zd54nFD10RejErvXiXgsi0ilzBIaIe8xctPmWbwahabO+efKZ5MEixH2WX3+gb8l6gmEAYE75XfnWV0+QcL9ZvLkY8pUfNP1ZuN23NWNelT4JLPhdNip+l7DvxNVpIMxFmd0sTH452pslGKj/ESyyGl4c9ktwlJCc4+MFGLEIt7y2ZoEdddmO18bFs0TP+JY9GiSwoIQGt7ZnOSebG0MJLWLoVWi26V0QqaG06Ni1/XNHEBJuZD3vP+6sRL+0jMM5irIc5MNE8BkU5zyepaDPSC945ey8VyqDGI7HS5gL034nONvhALh/Lc+WW5uVAZKVSKBrtYUrXa+yyO0vzb42yr+9M5/r6UFW+4DrKtpked3RarakLhafwH4AQXE+ZohZYmVXl7XfD49MqwhWa04atOci5Hc3ZQ==,iv:dPslR8NX+8G8uLIo+wFT46U6XAR8ao2z6/rqzJRlEr4=,tag:Wbo1guFW/ggtZjLLNSoo7Q==,type:str] +authelia-identity-providers-oidc-issuer-private-key: ENC[AES256_GCM,data:AmefiXFJ7zEY0AHj7n61f0Ja/FqOf4Gj5WFb0SEf9ozXIlxXj3inayOPd5JB94VcVjNJ33u5XJhTzGwnN0v6QnF/iXdMBosXHdye7+v9H2GjUMFk1CKnsXgq4xEb2hHkYKdT+WBmZFksdjGw7Hl4ySGIWsFwBE3HHTNfQUFhtoEU19jQej8roFnAPIOCLHvskQ7V1OlKfMVdvIwnwep9qsuyNCMSuASjGvv8TDPQARk/1E7IJiROL/jvoTVKL1orcVNx3ibt7+HNsXCR3+g8ra4bKLRbPlKC6tQtdw98171xV83JlTtEEIPztzae0A+O9F7LMveSQveaqiBf/0YURueKQj/sH3nABGBSselO4tEQvudfrxJrQckFaQ4GB0/HoJlnRJsv6XJE5FDdcscIYFfzn6QGCookHhzITvwx/D7kubyZ/mZe/FMrp4Lv5XicUupaCTu1pflrhCpOwxh97Fiun02Ne4snWUAgVKlp7G7EhqDJV4KnNUbrCvpHvW09nNC2V71mkZm4LjLOg+jO0VazVGCzX8pgLm/Li4Tg7PhqQkQDsmgMw6tuxhRCDmzYytowAi4MmIQyewmAos3+TLoaaDb+DDSOhw3SqOX2FdCdEjvk7CY4NTCephvIFOtVpHTdmEX2UU3WNvMnC6/v1wmgQ2WsQQqp3IUvQrLlneAJ2tnBT9MdXvR8tYOBnInvwPzhE/FF1yh+eL/ujhHZ8d5RW8OfO/sIipQsMn+FsMqonbY8DJwQTOzwIa4AfNebeNeZnI/Y2XH149Ot+n2nbrf0stPyMo9xUPo5UBIBd8hsQq4cioEJKFJX2iWxJ7Cna2HxM0GC4FAKpFFrRCf6N8fFJ4U/PUNWX3sCJYvsI1Oq5oDxBmjl/r3SZ5vLumCxeDr9nulg72xxvUyzTA4cAOw5PRDk7Pvqm84Edoz+DzEdonRo4m+j8CU9JLrRS6jWLNDmenZvE4b5jEn6jthxoGzEm5cCoCT0G4BvrEqONq7CmETnGqqDs666qF3vP5UPrTMBwodeGmiPb6no70wuCs4wFSq+Cl6UxbqTPi2oIKSSS/P3XII1xTKIo7FXU4hniUs52awgQD27LfOM85MsibxPl3rp9SQndOmP56BwcE9d21iuEgRrZRhgZppK/rF3g6gyoPqJZGir/Sz50yHpf7DLZ9qiq71t32w/QODCzfMt3s9IvzR0T9xH4UvMauKNZO4+q0InahUNIqks1nUJnKW7a/+Q1nNPOcSDaRFJGOZUR25yaHBsXfOHcyemfIjJ+20gId6v52HBOPqWfIvAvRhNz46i/DUiwpeDSBmGxgQUMM97ruaJidCv6w1BCM4B4A0s9012Ksd4+UnQQEKX8oJ0TZtZbo8lqUyBk3GUOMFKtwMbn8k3CkQMIWTC4WftDXgAp2+jAu3hEV4rxm/+8uYjfNh8+/tTiOvCgJ8jQazJhan/+VDSDg0fk1DjEQBPP5ZAUl3vxw+pw1o5AnjvUOC+1KNBBUc6iUmGZ66NkjflJE5Zo7NC8MLc7D/YADmLQIYe3WwOAZsxg1AqsRkXUqRVAMhipv2RlKesCNpckivyzg3GbZlvcZjQS/bnZHZd8AuORpFnE2JvFD5QydlyFKvL3UdRVA/NkvWHPbQh/JrMCFLXlq5WNnZicx2ib6862B4JtEbNwZYjGKEvYkDXmfBgOx2AeetpO/C9rNNWJfa4SNGJC5D9+UFpoqIWv9YO6aDZ1S4flD+AXUzfoLKFBeLNsOswjwo67n/raQ//Upfpv2qKHYSY7KkWkam7So0uEZlVtrvGM0mkQSyNWY3KWdhII2gAvMzJ2C2iiJH+Geesi+E+29qCePFWJwyxCtf9jVXoR8E25UteMTvzyPRN/gjbRe/Zrbjj85sEQ9s2bDl77gpdC/+xKkZ56UiWA3ZceOG0Aij8yHP0Y+maY9+9Lh2T48LNPmuF9Qt7/IK0iixWZx0O0fzNrzY7HwQN9oFyYMiTILgYK3iVnSy3vIkDqgWfYdtNRurtAviFrSTRNefzvSah5D7TxoNbLqDcNJOMIMcRpxrHhygnP3yb+AFtpUZPiK0zfpybmgAePxWNk3Our7rSil03PXP71R9wwdwO+9N3kMuc4JS2ZnZ/Umz2zXf2tOfBnpkUqMF79VvcLBCVNa7IUucwBSIOkjdpW1f6Yu0b68gMFhBpAM2QNNnV7SL67HTt08rr0Y/k0hJDrXmTQarAb8Io+kSauegWdDyQaGbo71jTJQdIhG2Q4EfyuBGlXZ+rdC3jbbM1sjl/CKSujkSldBMEa2vp6a6aq+Ykt4qz+LN1pa0Oz4GZODY9s5iBoNgByYr++Kc+R0yRayaciZlhm27jALPyq1dBl0NG0F4ldE+KQciMPvpoPF8RBFIxviZrvpMU2ql/3dctoKkvpMXgSblX6iTyAxEeNwkmhDBfZyObrRIyTsDI2rUD3j9LQ+jTEk299cw8P2SGCQFNkl1itSxTyWoefZIEilL3YEgyxuIyDBzPLpmQzyMk4zrOu+zmJYFBm184Wk2Tt6e5b7VzfGurxnPhk/KpaPwJeTJPM44n9UQo/fpnNra89XUqty0fYg8fb2d4XnyMVc2ooZE6vmn8pi6QHwOr6vKhO6LEcok7f3MGafjPs/BW8J8aqGvLoKpEelSEEvhVhBlHQlxoulWZYG6sowGJdLcA95o0hsZmxvL7tB4OpS1ZFjN6Um+0wa0yj3yl1XNuYKmjV1IfXjwowgZ/Lb1tRRxAcxoT2mycr6d2wrbfS7huhTUNZBCHQizOiQcuoRlHeTvu/f8owAwuBb6r0wSGHyDhVmw5Ga73Fk4LkavAEKD1MW+tWeZtioIQT+PKrmVCrbqnx50xVaRmUAvpX5BRnznu06pWKna5Wa6gfjBz48IPGzgaPyRIzw4sdz1AB8ScUd2lT8Ihb/FTZAWOPzSR4CZeIyDvCWuQG89xgeq6bhlZxr7YA3jRIGxUqGq5h3s08k1zG6uCg/1LkythiRUp9rZPiHVVPWlpZl8W1YWhyJVGJVu5aQTgtRZRLlCg+pJvOmKzFLbJSRNv5xdXdTfEp0HTkVWDc+G58nONTz8oygyRIvw7OhSQeOKQtcr6Bzkt1LVIM5vloFGSr0gaI32Db43hiWv90v4mEXWdWDtsSLXyGipVyH8MpeghyMgm6Vps7ogujJVCEJrW2JLbcAvlnlXEDoVSx4qQMOqOFrhwfzDClBuXy7LEZ2bcWsVuNebOA0oZoEkfWkbNO3QX6vp/jUrPWhMu2orm0ZGNeaebXqauc0ueI8IbnBfSI/6DOoVd9MU4fyiApQvRL5jbAcDLHowIKWaSYpV/obVy8U6IvoaFpRJPiaeAo6yFLLEUemt3OrGiPhKrbuHSkHaNyUF5ywSf2Oz8a9eH1MWaSgFjdqLmBtmAogsHS+I1NIfVmytcKNQodPEk6LZjRKbiJ46U3D5/d6j8O7qZ0M6FbuEawTb98Mctx7O3RJJhJiaqdTfL9sS2Oxix5dY39e724iJQ5P1/96T3vGTnX3rV6VQ5/G9X1tfFBSobV0h6iQccH3aUQUPyiRCquxhzRDuo8jkzYIv4TLLFF9Z1mE/FAFkOrNJfIaJ0kppQmAN9JkVdoIvmKBinn1fjK+vGgeOHEdMboSZhbeioW2qRMxkdNQhOMWOUEQ7BHLzxpKUyQiOFmPPnCUEUja5KCvIw/AgTN7p0Ep+WtWmnVedIKG3CZory2a91lFzF574PAAbf4buITM9N4FG/vqoe1k1iLW0WGRgMCYAhUJ9J+ZkV1VHJD86E+ZnAKtM5oEfCs4/eRnOxG/nY4iL+0KIZn47LoEAyFpWuJN9yATT+GwFWXvswDbMD9xm0v3SCL6fjSFIzPzy1WBAKpd5HT2FBElVru5Gk2r4nPA1In6T+Ke7qkcK8bbiyNJSNcLNJfYC8J4NWxV7cTjShOv2RoAV5m9dnB5RZW5/DMQL+aOzfjm178lmuzDfWGa30vRwc6qXxEYsV+tdo7ATldTzAjzuTDMg+M+6NTYNIlLAwQKxs0oHEuqwuhKXjQSw3ZVFRST9oYf6sNFoRMkrWkkV10uvch0NRRCSMR8KtnvfGDrvSqWfVZINEzWZLgtwXvyQ/1TFF203RdeUXzW6pj24R2FNKyMGKHaRyHnrnyNtMEskMuvMiN9nr34o+Tt6hCj/R4bMT42USeTI3oRyRI+vq+fuJADZ03JBXXEC7TJp+K6XGSUowLD8fJxclnTypbHa9rI9dHngxTkkeMxsRwPsYYVT8HCB5D38IsNI15ONRWI9K/kFfVyMEQq/KQ7/Uc5VuhfgXoG64vX73,iv:F/oBMW+PX6ogxHSYMWRS7liolMOc5rqwIJbwYj+J9DM=,tag:7HpCNkBWKFCGoNCq2iK3YQ==,type:str] +grafana-ldap-password: ENC[AES256_GCM,data:hNB6CRtXW98yqUqInD3LsZ75sA+lVfmbooehni0UKL60qE/XCZm5B9JVO9pjxbIYZN6Eu/RFX+9L9cJVa5jnEo2MVeLS4CSjqC8BHLArlOuEdA5v8vqqJofBpBfXXN5Ca5xeUDJKz2HgtoTg7G5nTkegGZPGrmj5QQiL1xzco38=,iv:ViQAPTGxEWnjLkJlGCdCq5wW+fbr/O9er8/71VjL/GE=,tag:+Mow4cw7tvtkXvV2iSHeQw==,type:str] +grafana-admin-password: ENC[AES256_GCM,data:365efRy8xD7SHBnVz6ZJO3l8/lfiZ5vZPZZbxnUmjKKJTMeebLY+P54moStY0wsbU9vk7sCKATCxrS5xy+FQJSgKLoajfz50OMA4+1k3Shl+skbeIikHKwFxqrljFa6HRQ2HTW6KLDPu6Z5Agkima5xdfrtc5R1SnOFg5b6D5NU=,iv:0yZGZVQd35Itj66Ff5hDfDYYx5xsNs/wc887bgMV1MY=,tag:9t8Iffg7kxSjE5eo7iv/RQ==,type:str] +grafana-oauth-secret: ENC[AES256_GCM,data:OXsKChjgnDEKG58LarUpdJlDy4FJTrs1lrHH9I4wO+OGb+XdOPokyXSq0Om7aYhp2g40rBcQzfj5tQcgjmvZ27He93HfgxST,iv:pSiu/2G+D/wd2+FormfGiXMm2Ps/5iDDHqUnsIJ37EY=,tag:UN2IZ6/aJJSEcTmXeD9CAQ==,type:str] +promtail-nginx-password: ENC[AES256_GCM,data:zk/Wq+Nss6Md0GdhoOcysPrDBqfoAobmqb4LMDkJBjpCn/mdP3/HPiIYdZnZ0vV0JmYpQVqgVFPMlA==,iv:TA19kKllw0Vco6RRlbW4eUqeGQ0SQJRr/TATmyZBMrs=,tag:10/87/svXdL1hpUcTOtY0w==,type:str] +victoria-nginx-password: ENC[AES256_GCM,data:+rKDzML5eQX47JF1i/ZU9jwdeLgRXPyzwSCt+iDzsCx8RKSn+omTESs/P4lj9dBPO0zjo6w=,iv:o4JW6EIwTMt3SAqhGscnc9iQBwWr6VYFSIA5sc86+pc=,tag:OvupW1Py8pCu5IAemdc81w==,type:str] +nextcloud-adminpass: ENC[AES256_GCM,data:/vt17v+aaucz8sq/uYUA0hlj1urKNYcmCN0LbgGAMhWoTiTwzYr5FzrygOuZWZBeaAFH1pWItTZRXj74OX8XqutLPlYDg/jZqLszU0/9HgSBoHb5ZnPUpzIjNI9dpMttPphpo5TVrYKoh/vR3OWjJa3ObcpGLdvMQc1r8ABEvvg=,iv:0xW7++80CwZy0O4J3bFElqp0ZMC+RpO5kcczshM1pzg=,tag:PJj5PHfkoHE8jRbS4mpq6Q==,type:str] +zammad-db-password: ENC[AES256_GCM,data:4LkMM06cs9H/ricsE+2LNin8PIn4MLbi+TaYpESeAhUz7M6JFcoLGdn2Rws3crGuCWVLColh1bv0hALLSYQs2Q==,iv:MIufiAixz6wLp1byQ2tiAx27jJGUAnVGs8KLWLaqk+4=,tag:Wbq6V3661r3Ue942q1jBRg==,type:str] +zammad-key-base: ENC[AES256_GCM,data:IERHJKzK/kRa4P6EfpSzt/9Xj1I0/YGl/Fj8ISA/WQFn4+hu9VqdJzMoVgZexbjhpB+fPWmxwyGBhrsJRf77zJGosRzG+4MPWPw6Yggai6TGbZkxj5St+I7nm9KZbtkCbo3pH3YLXhKCFVZJuSNtBb9Y3sqd0h8XcygMQbaf2Js=,iv:FEZUOBulpPDGUuJztod+r/17MEmojKrOe+HptecMdTo=,tag:ZsFKuUKaCgc01/iDJgbkNQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTRTZCcnlXaHhiVlRhTlo2 + RWlWQkY0bkJseHdVU1BvVHRwcHhNNU1Yb2xvCm1ZeU1KY3Y4WkZPRmlvQ01HdTVP + b3lDTjZLVTRnV0NxQkU4ZVg2ck9FYTAKLS0tIFhnaTRSVVlpM28zaGI1OFJ6VkpW + QkNTd1hzSm9zNnlmTzlpQ1hsa2loeXMKfWYt6gtlXRv97kmSeT31fSA+JfQFAeH/ + e+Z8maFTUte0NF/toqsxDJPyLG8TPaWMiS+75RCRPXyvxtt58H5iOQ== + -----END AGE ENCRYPTED FILE----- + - recipient: age136s4znrmkheztq6mps46dj5z4avy2umzz3the58fqtlsksvx5skq9ljqgk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSM2NzUVVWZGZ2alJ4L0lC + TE9UWHEvNmtaT0pnVS9mUUh5VHdkQ1lIaDBNClVmendCYW5PZUNqUTFEYUhldnRZ + UWJqVTU1ajJNa0FtcnBDdThFYnBETUUKLS0tIFFROVRoTFNUOHVLSjN6elZzb1RQ + MXlOWjQ0cU1mUEhhTGlLWVNyS2V5c28KDNN6eK17Z+RZtb1/pH/tr8y9qk34cHPg + UGKimFTU2o0CvZY7ZnA24XV2RgfKs2J7COUc8I34b1kWPge57yQbJw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-08-19T12:12:46Z" + mac: ENC[AES256_GCM,data:W7MGnXfVxBgS/AQ5Xl6PcK3P4rH+1OjbWGBJBlz7KaG3uZXf8rnZGb7OUgYadu1KjhWZIJf8i3iyOBSqPTnBbd2xYKRMmxJj1qMlGY6dx8eGv4Zlvahs4pzT0iGqhC9Ce0+mc1QQwiD7paq0PSgNAy8q2XudITCS6iIL9woc+CM=,iv:SyTmDoG49wp1WPYUsnjw6u28Ch4N8a3T6EFncCgel5I=,tag:xJk//KA/Zhq3bjy1GG1L3g==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/hosts/web-arm/sites/api.optiprot.cloonar.dev.nix b/hosts/web-arm/sites/api.optiprot.cloonar.dev.nix new file mode 100644 index 0000000..6ee0b0a --- /dev/null +++ b/hosts/web-arm/sites/api.optiprot.cloonar.dev.nix @@ -0,0 +1,34 @@ +{ pkgs, lib, config, ... }: +{ + services.webstack.instances."api.optiprot.cloonar.dev" = { + enableDefaultLocations = false; + enableMysql = true; + authorizedKeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDBGlzrg6NP5ezRFVu1CV8r0uCcS2oIgYG2/u6Cit++ARWQRO5Y0+9qC1Y2RNUaLPbvTmXg7ShskolUeuLryqvp10K2kXQ4E9NlmJ3BNLiAfWCzfe6gAgr6u5unVlXHttnP0leYpGGMUCKuiJpzy/bR6rMIUrCQC6W/MeXkwysNWKvL+ZD0IeQbogtfMFZmag9PO04RKZZvuUn9YvlgkTEK97g5dtyP1NxdtE9dDYf0G+0HcHITcw+lVmGNNwi43nAoUHieQd1kWc8YmxFB+y5O+vRH2O6pZBSdr0tdK6bPcezxd3Gk6i3a54yZfbvSislWA+o7s6uw/qExocpZb7xWa5ymPrGlEPbpYdT1y3hFO25+L1lR4QdG9oUNtJ974bL+EmYmHU+j32K3f8fxDg6BRo8FuriLtAzP7/2/7W8K4nIdMoosS+Ond2JE6XFkg1kSrXCivDBQoetZLO2y+ZPYcsQwIZsdjOnZqVr76nTepqCGIKYCuNM/9sl4AWCsyU=" + ]; + extraConfig = '' + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options "nosniff"; + + index index.php + + charset utf-8; + + error_page 404 /index.php; + ''; + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + locations."/robots.txt".extraConfig = '' + access_log off; + log_not_found off; + ''; + + locations."/".extraConfig = '' + try_files $uri $uri/ /index.php$is_args$args; + ''; + phpPackage = pkgs.php82.withExtensions ({ enabled, all }: + enabled ++ [ all.imagick ]); + }; +} diff --git a/hosts/web-arm/sites/api.optiprot.eu.nix b/hosts/web-arm/sites/api.optiprot.eu.nix new file mode 100644 index 0000000..968fbcc --- /dev/null +++ b/hosts/web-arm/sites/api.optiprot.eu.nix @@ -0,0 +1,34 @@ +{ pkgs, lib, config, ... }: +{ + services.webstack.instances."api.optiprot.eu" = { + enableDefaultLocations = false; + enableMysql = true; + authorizedKeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDBGlzrg6NP5ezRFVu1CV8r0uCcS2oIgYG2/u6Cit++ARWQRO5Y0+9qC1Y2RNUaLPbvTmXg7ShskolUeuLryqvp10K2kXQ4E9NlmJ3BNLiAfWCzfe6gAgr6u5unVlXHttnP0leYpGGMUCKuiJpzy/bR6rMIUrCQC6W/MeXkwysNWKvL+ZD0IeQbogtfMFZmag9PO04RKZZvuUn9YvlgkTEK97g5dtyP1NxdtE9dDYf0G+0HcHITcw+lVmGNNwi43nAoUHieQd1kWc8YmxFB+y5O+vRH2O6pZBSdr0tdK6bPcezxd3Gk6i3a54yZfbvSislWA+o7s6uw/qExocpZb7xWa5ymPrGlEPbpYdT1y3hFO25+L1lR4QdG9oUNtJ974bL+EmYmHU+j32K3f8fxDg6BRo8FuriLtAzP7/2/7W8K4nIdMoosS+Ond2JE6XFkg1kSrXCivDBQoetZLO2y+ZPYcsQwIZsdjOnZqVr76nTepqCGIKYCuNM/9sl4AWCsyU=" + ]; + extraConfig = '' + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options "nosniff"; + + index index.php + + charset utf-8; + + error_page 404 /index.php; + ''; + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + locations."/robots.txt".extraConfig = '' + access_log off; + log_not_found off; + ''; + + locations."/".extraConfig = '' + try_files $uri $uri/ /index.php$is_args$args; + ''; + phpPackage = pkgs.php82.withExtensions ({ enabled, all }: + enabled ++ [ all.imagick ]); + }; +} diff --git a/hosts/web-arm/sites/api.paraclub.at.nix b/hosts/web-arm/sites/api.paraclub.at.nix new file mode 100644 index 0000000..409e1cc --- /dev/null +++ b/hosts/web-arm/sites/api.paraclub.at.nix @@ -0,0 +1,34 @@ +{ pkgs, lib, config, ... }: +{ + services.webstack.instances."api.paraclub.at" = { + enableDefaultLocations = false; + enableMysql = true; + authorizedKeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmLPJoHwL+d7dnc3aFLbRCDshxRSQ0dtAVv/LYBn2/PBlZcIyVO9drjr702GL9QuS5DQyjtoZjSOvv1ykBKedUwY3XDyyZgtqjleojKIFMXkdXtD5iG+RUraUfzcFCZU12BYXSeAXK1HmIjSDUtDOlp6lVVWxNpz1vWSRtA/+PULhP+n5Cj7232Wf372+EPfQPntOlcMbyrDLFtj7cUz+E6BH0qdX0l3QtIVnK/C1iagPAwLcwPJd9Sfs8lj5C4g8T9uBJa6OX+87lE4ySYY+Cik9BN59S0ctjXvWCFsPO3udQSC1mf33XdDenc2mbi+lZWTfrN8S2K5CsbxRsVBlbapFBRwufEpN4iQnaTu1QmzDrmktBFAPJ2jvjBJPIx6W3KOy3kUwh9WNhzd/ubf9dFTHzkTzgluo/Zk6/S8fTJiA4rbYKSkLw9Y265bvtR1kfUBLKSa/Axe5dkKysX1RNKfTJEwbh2TfIS3apQPZZc5kIEWfeK/6kbQX7WJZFtTs=" + ]; + extraConfig = '' + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options "nosniff"; + + index index.php + + charset utf-8; + + error_page 404 /index.php; + ''; + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + locations."/robots.txt".extraConfig = '' + access_log off; + log_not_found off; + ''; + + locations."/".extraConfig = '' + try_files $uri $uri/ /index.php$is_args$args; + ''; + phpPackage = pkgs.php82.withExtensions ({ enabled, all }: + enabled ++ [ all.imagick ]); + }; +} diff --git a/hosts/web-arm/sites/api.paraclub.cloonar.dev.nix b/hosts/web-arm/sites/api.paraclub.cloonar.dev.nix new file mode 100644 index 0000000..151ea09 --- /dev/null +++ b/hosts/web-arm/sites/api.paraclub.cloonar.dev.nix @@ -0,0 +1,35 @@ +{ pkgs, lib, config, ... }: +{ + services.webstack.instances."api.paraclub.cloonar.dev" = { + enableDefaultLocations = false; + enableMysql = true; + authorizedKeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmLPJoHwL+d7dnc3aFLbRCDshxRSQ0dtAVv/LYBn2/PBlZcIyVO9drjr702GL9QuS5DQyjtoZjSOvv1ykBKedUwY3XDyyZgtqjleojKIFMXkdXtD5iG+RUraUfzcFCZU12BYXSeAXK1HmIjSDUtDOlp6lVVWxNpz1vWSRtA/+PULhP+n5Cj7232Wf372+EPfQPntOlcMbyrDLFtj7cUz+E6BH0qdX0l3QtIVnK/C1iagPAwLcwPJd9Sfs8lj5C4g8T9uBJa6OX+87lE4ySYY+Cik9BN59S0ctjXvWCFsPO3udQSC1mf33XdDenc2mbi+lZWTfrN8S2K5CsbxRsVBlbapFBRwufEpN4iQnaTu1QmzDrmktBFAPJ2jvjBJPIx6W3KOy3kUwh9WNhzd/ubf9dFTHzkTzgluo/Zk6/S8fTJiA4rbYKSkLw9Y265bvtR1kfUBLKSa/Axe5dkKysX1RNKfTJEwbh2TfIS3apQPZZc5kIEWfeK/6kbQX7WJZFtTs=" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFtMqcJDygWT16b7wF0qaagWUHj1+s6whMq0YRv47WA5" + ]; + extraConfig = '' + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options "nosniff"; + + index index.php + + charset utf-8; + + error_page 404 /index.php; + ''; + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + locations."/robots.txt".extraConfig = '' + access_log off; + log_not_found off; + ''; + + locations."/".extraConfig = '' + try_files $uri $uri/ /index.php$is_args$args; + ''; + phpPackage = pkgs.php82.withExtensions ({ enabled, all }: + enabled ++ [ all.imagick ]); + }; +} diff --git a/hosts/web-arm/sites/autoconfig.cloonar.com.nix b/hosts/web-arm/sites/autoconfig.cloonar.com.nix new file mode 100644 index 0000000..8b40ad0 --- /dev/null +++ b/hosts/web-arm/sites/autoconfig.cloonar.com.nix @@ -0,0 +1,36 @@ +{ pkgs, lib, config, ... }: +let + domain = "autoconfig.cloonar.com"; +in +{ + services.go-autoconfig = { + enable = true; + settings = { + service_addr = ":1323"; + domain = domain; + imap = { + server = "imap.cloonar.com"; + port = 993; + }; + smtp = { + server = "mail.cloonar.com"; + port = 587; + starttls = true; + }; + }; + }; + + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:1323/"; + }; + }; + services.nginx.virtualHosts."autoconfig.superbros.tv".extraConfig = '' + return 301 https://autoconfig.cloonar.com$request_uri; + ''; + services.nginx.virtualHosts."autoconfig.korean-skin.care".extraConfig = '' + return 301 https://autoconfig.cloonar.com$request_uri; + ''; +} diff --git a/hosts/web-arm/sites/autoconfig.nix b/hosts/web-arm/sites/autoconfig.nix new file mode 100644 index 0000000..963d2b8 --- /dev/null +++ b/hosts/web-arm/sites/autoconfig.nix @@ -0,0 +1,90 @@ +{ pkgs, lib, config, ... }: +let + domains = [ + "cloonar.com" + "ghetto.at" + "optiprot.eu" + ]; + + vhostConfig = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "/var/www/autoconfig"; + + # MS Outlook + locations."~* ^/autodiscover/autodiscover.xml".extraConfig = '' + root /var/www/autoconfig; + try_files /autodiscover.php =404; + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_pass unix:${config.services.phpfpm.pools.autoconfig.socket}; + ''; + + # Thunderbird + locations."/.well-known/autoconfig/mail/config-v1.1.xml".extraConfig = '' + root /var/www/autoconfig; + try_files /config-v1.1.php =404; + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_pass unix:${config.services.phpfpm.pools.autoconfig.socket}; + ''; + + # Apple devices + locations."/apple/get-mobileconfig".extraConfig = '' + root /var/www/autoconfig; + try_files /apple.php =404; + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_pass unix:${config.services.phpfpm.pools.autoconfig.socket}; + ''; + + # disable logging for Apple Touch Icons + locations."~ /apple-touch-icon(|-\d+x\d+)(|-precomposed).png".extraConfig = '' + log_not_found off; + access_log off; + ''; + }; +in +{ + services.nginx.virtualHosts."autoconfig.cloonar.com" = vhostConfig; + services.nginx.virtualHosts."autoconfig.ghetto.at" = vhostConfig; + services.nginx.virtualHosts."autoconfig.optiprot.eu" = vhostConfig; + services.nginx.virtualHosts."autoconfig.superbros.tv" = vhostConfig; + services.nginx.virtualHosts."autoconfig.korean-skin.care" = vhostConfig; + + systemd.services."phpfpm-autoconfig".serviceConfig.ProtectHome = lib.mkForce false; + + services.phpfpm.pools."autoconfig" = { + user = "autoconfig"; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 5; + "php_admin_value[error_log]" = "stderr"; + "php_admin_flag[log_errors]" = true; + "catch_workers_output" = true; + "access.log" = "/var/log/$pool.access.log"; + }; + phpPackage = pkgs.php; + phpEnv."PATH" = lib.makeBinPath [ pkgs.php ]; + }; + + users.users."autoconfig" = { + #isSystemUser = true; + isNormalUser = true; + createHome = true; + home = "/var/www/autoconfig"; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZg6mxd6kuB7zxxTMw/kgP2Cfddjnz8hCtSbzKckNBtM9TbnJ76ZbAjgh/TDcm/qBADlICi+Ib0tMlzK1BJWLxe1SjHOR78BPzPGASmjtj6vuNAFyM20Ise5rhbbo2sC6o82F6HP4iak+hFzhwTf0Ld1LT5dJ78CltKgHFmyKIaRYBILn5MvTnmORG2UfFY1Tef2DiujrQD24bM2f4BYR2Ni0zoyim8UUkjciQkXceB8yDJQX/e1WcNxGU7Bsh2WGZMu6Ykeinbf7LIu8pPGH2sf81N8tbsYc4PxZv9lovgRWdNNmSfB+Ocsn4jWBN9nVtb8XMXycTaenI4W57F+ZWrx0LddPhwfXbLAdFgxyvqtWW/WF48DH2vETQcCATowIhtU7QDZ3pDKaTIIYhDYnMvPJuM2rQP0SCMaNzQlziXWFvKTRw8nnqkpzTz488OJVkYvULXhiRgr0Uxe6eh7XCOO9SF5wdj1cGeewefOiOjpxmg/GnaQvQW6KjFRMj1ZE=" + ]; + }; + users.groups.autoconfig = {}; +} diff --git a/hosts/web-arm/sites/cloonar.com.nix b/hosts/web-arm/sites/cloonar.com.nix new file mode 100644 index 0000000..27621de --- /dev/null +++ b/hosts/web-arm/sites/cloonar.com.nix @@ -0,0 +1,60 @@ +{ pkgs, lib, config, ... }: +let + domain = "cloonar.com"; + dataDir = "/var/www/${domain}"; +in { + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."/".extraConfig = '' + index index.html; + ''; + + locations."~* \.(jpe?g|png)$".extraConfig = '' + set $red Z; + + if ($http_accept ~* "webp") { + set $red A; + } + + if (-f $document_root/webp/$request_uri.webp) { + set $red "''${red}B"; + } + + if ($red = "AB") { + add_header Vary Accept; + rewrite ^ /webp/$request_uri.webp; + } + ''; + + locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' + expires 365d; + add_header Pragma "public"; + add_header Cache-Control "public"; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + deny all; + ''; + }; + users.users."${domain}" = { + isNormalUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1CQqL1hQV3Lb6hqzDt2mgr0IasBRlIrdUCM+QibgKcU1VUWEJTo1nkcwgunnpUROtCQPRtlBZWwdqphKNrpMf3PkCPnjkcQC/2dGcFUXbkGq+5NaMnXpQnt7XAPyqxAT/9nCnXM9y3IBWjL9jN3C4l+yZHuMChi1a3q/6cNNH7WORkC1hq7MMyIvRCh6HDPwq1XCEj0w7O6m0iBmXIwiXyh3ly6ruWmkNQToPc1s2QuIE/w0yXoOF7Ubxtdf/GH2Yu0f+ztJrOveuiLlsNWx596lQwDlYa58ib0nPPtnFVf8od59F/UC8lOFtMsSY/d5ArOnqKjk6iWNaOh15WLr7wj9lrHJkiD+9fgXLyaaxVLt4NYGwyi7SZn7P1lHz6kjFr9UmRvfth6nGGoCvvfQZB8MAE0FhcTHb9fXC1m/NengWf40VQ8woZLZ4mRPWZBxrSnymgFiIvSYSqxnP3QNID4quaQ8sPyXYygbtt38qXAg/Ixyud0vgZN4H/rbW+DE=" + ]; + }; + users.groups.${domain} = {}; +} diff --git a/hosts/web-arm/sites/cloonar.dev.nix b/hosts/web-arm/sites/cloonar.dev.nix new file mode 100644 index 0000000..50cb7d3 --- /dev/null +++ b/hosts/web-arm/sites/cloonar.dev.nix @@ -0,0 +1,60 @@ +{ pkgs, lib, config, ... }: +let + domain = "cloonar.dev"; + dataDir = "/var/www/${domain}"; +in { + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."/".extraConfig = '' + index index.html; + ''; + + locations."~* \.(jpe?g|png)$".extraConfig = '' + set $red Z; + + if ($http_accept ~* "webp") { + set $red A; + } + + if (-f $document_root/webp/$request_uri.webp) { + set $red "''${red}B"; + } + + if ($red = "AB") { + add_header Vary Accept; + rewrite ^ /webp/$request_uri.webp; + } + ''; + + locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' + expires 365d; + add_header Pragma "public"; + add_header Cache-Control "public"; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + deny all; + ''; + }; + users.users."${domain}" = { + isNormalUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1CQqL1hQV3Lb6hqzDt2mgr0IasBRlIrdUCM+QibgKcU1VUWEJTo1nkcwgunnpUROtCQPRtlBZWwdqphKNrpMf3PkCPnjkcQC/2dGcFUXbkGq+5NaMnXpQnt7XAPyqxAT/9nCnXM9y3IBWjL9jN3C4l+yZHuMChi1a3q/6cNNH7WORkC1hq7MMyIvRCh6HDPwq1XCEj0w7O6m0iBmXIwiXyh3ly6ruWmkNQToPc1s2QuIE/w0yXoOF7Ubxtdf/GH2Yu0f+ztJrOveuiLlsNWx596lQwDlYa58ib0nPPtnFVf8od59F/UC8lOFtMsSY/d5ArOnqKjk6iWNaOh15WLr7wj9lrHJkiD+9fgXLyaaxVLt4NYGwyi7SZn7P1lHz6kjFr9UmRvfth6nGGoCvvfQZB8MAE0FhcTHb9fXC1m/NengWf40VQ8woZLZ4mRPWZBxrSnymgFiIvSYSqxnP3QNID4quaQ8sPyXYygbtt38qXAg/Ixyud0vgZN4H/rbW+DE=" + ]; + }; + users.groups.${domain} = {}; +} diff --git a/hosts/web-arm/sites/diabetes-austria.cloonar.dev.nix b/hosts/web-arm/sites/diabetes-austria.cloonar.dev.nix new file mode 100644 index 0000000..417341d --- /dev/null +++ b/hosts/web-arm/sites/diabetes-austria.cloonar.dev.nix @@ -0,0 +1,141 @@ +{ pkgs, lib, config, ... }: +let + domain = "diabetes-austria.cloonar.dev"; + dataDir = "/var/www/${domain}"; +in { + systemd.services."phpfpm-${domain}".serviceConfig.ProtectHome = lib.mkForce false; + + services.phpfpm.pools."${domain}" = { + user = domain; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 5; + "php_admin_value[error_log]" = "stderr"; + "php_admin_flag[log_errors]" = true; + "catch_workers_output" = true; + "access.log" = "/var/log/$pool.access.log"; + }; + phpPackage = pkgs.nur.repos.izorkin.php74; + phpEnv."PATH" = lib.makeBinPath [ pkgs.nur.repos.izorkin.php74 ]; + }; + + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}/public"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + # TYPO3 - Rule for versioned static files, configured through: + # - $GLOBALS['TYPO3_CONF_VARS']['BE']['versionNumberInFilename'] + # - $GLOBALS['TYPO3_CONF_VARS']['FE']['versionNumberInFilename'] + + extraConfig = '' + if (!-e $request_filename) { + rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last; + } + ''; + + # TYPO3 - Block access to composer files + locations."~* composer\.(?:json|lock)".extraConfig = '' + deny all; + ''; + + + # TYPO3 - Block access to flexform files + locations."~* flexform[^.]*\.xml".extraConfig = '' + deny all; + ''; + + # TYPO3 - Block access to language files + locations."~* locallang[^.]*\.(?:xml|xlf)$".extraConfig = '' + deny all; + ''; + + # TYPO3 - Block access to static typoscript files + locations."~* ext_conf_template\.txt|ext_typoscript_constants\.txt|ext_typoscript_setup\.txt".extraConfig = '' + deny all; + ''; + + # TYPO3 - Block access to miscellaneous protected files + locations."~* /.*\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|tsconfig|dist|fla|in[ci]|log|sh|sql|sqlite)$".extraConfig = '' + deny all; + ''; + + # TYPO3 - Block access to recycler and temporary directories + locations."~ _(?:recycler|temp)_/".extraConfig = '' + deny all; + ''; + + # TYPO3 - Block access to configuration files stored in fileadmin + locations."~ fileadmin/(?:templates)/.*\.(?:txt|ts|typoscript)$".extraConfig = '' + deny all; + ''; + + + # TYPO3 - Block access to libraries, source and temporary compiled data + locations."~ ^(?:vendor|typo3_src|typo3temp/var)".extraConfig = '' + deny all; + ''; + + + # TYPO3 - Block access to protected extension directories + locations."~ (?:typo3conf/ext|typo3/sysext|typo3/ext)/[^/]+/(?:Configuration|Resources/Private|Tests?|Documentation|docs?)/".extraConfig = '' + deny all; + ''; + + locations."/".extraConfig = '' + index index.php index.html; + try_files $uri $uri/ /index.php$is_args$args; + ''; + + # TYPO3 Backend URLs + locations."/typo3$".extraConfig = '' + rewrite ^ /typo3/; + ''; + + locations."/typo3/".extraConfig = '' + try_files $uri /typo3/index.php$is_args$args; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_buffer_size 32k; + fastcgi_buffers 8 16k; + fastcgi_connect_timeout 240s; + fastcgi_read_timeout 240s; + fastcgi_send_timeout 240s; + fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket}; + fastcgi_index index.php; + ''; + }; + users.users."${domain}" = { + #isSystemUser = true; + isNormalUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZg6mxd6kuB7zxxTMw/kgP2Cfddjnz8hCtSbzKckNBtM9TbnJ76ZbAjgh/TDcm/qBADlICi+Ib0tMlzK1BJWLxe1SjHOR78BPzPGASmjtj6vuNAFyM20Ise5rhbbo2sC6o82F6HP4iak+hFzhwTf0Ld1LT5dJ78CltKgHFmyKIaRYBILn5MvTnmORG2UfFY1Tef2DiujrQD24bM2f4BYR2Ni0zoyim8UUkjciQkXceB8yDJQX/e1WcNxGU7Bsh2WGZMu6Ykeinbf7LIu8pPGH2sf81N8tbsYc4PxZv9lovgRWdNNmSfB+Ocsn4jWBN9nVtb8XMXycTaenI4W57F+ZWrx0LddPhwfXbLAdFgxyvqtWW/WF48DH2vETQcCATowIhtU7QDZ3pDKaTIIYhDYnMvPJuM2rQP0SCMaNzQlziXWFvKTRw8nnqkpzTz488OJVkYvULXhiRgr0Uxe6eh7XCOO9SF5wdj1cGeewefOiOjpxmg/GnaQvQW6KjFRMj1ZE=" + ]; + }; + users.groups.${domain} = {}; + + services.mysqlBackup.databases = [ "diabetes_austria" ]; +} diff --git a/hosts/web-arm/sites/gbv-aktuell.at.nix b/hosts/web-arm/sites/gbv-aktuell.at.nix new file mode 100644 index 0000000..df92214 --- /dev/null +++ b/hosts/web-arm/sites/gbv-aktuell.at.nix @@ -0,0 +1,39 @@ +{ pkgs, lib, config, ... }: +{ + services.typo3.instances."gbv-aktuell.at" = { + domainAliases = [ "www.gbv-aktuell.at" ]; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHYyLbVv9l/LhpNhmE3QO0f9Lg8d2Y8JiDdn/cNcmyfO" + ]; + phpPackage = pkgs.php81; + }; + + services.awstats = { + enable = true; + updateAt = "daily"; + configs."gbv-aktuell.at" = { + webService = { + enable = true; + hostname = "gbv-aktuell.at"; + }; + logFile = "/var/log/nginx/access.log"; + extraConfig = { + # ShowDaysOfWeekStats = "0"; + # ShowHoursStats = "0"; + # ShowDomainsStats = "0"; + # ShowHostsStats = "0"; + # "ShowRobotsStats" = "0"; + # "ShowFileTypesStats" = "0"; + # "ShowDownloadsStats" = "0"; + # "ShowPagesStats" = "0"; + # "ShowOSStats" = "0"; + # "ShowBrowsersStats" = "0"; + # "ShowOriginStats" = "0"; + # "ShowKeyphrasesStats" = "0"; + # "ShowKeywordsStats" = "0"; + # "ShowMiscStats" = "0"; + # "ShowHTTPErrorsStats" = "0"; + }; + }; + }; +} diff --git a/hosts/web-arm/sites/gbv-aktuell.cloonar.dev.nix b/hosts/web-arm/sites/gbv-aktuell.cloonar.dev.nix new file mode 100644 index 0000000..9943432 --- /dev/null +++ b/hosts/web-arm/sites/gbv-aktuell.cloonar.dev.nix @@ -0,0 +1,10 @@ +{ pkgs, lib, config, ... }: +{ + services.typo3.instances."gbv-aktuell.cloonar.dev" = { + domainAliases = [ "typo3-gbv-aktuell.cloonar.com" ]; + authorizedKeys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcDedq/yqC2ROzvZGTyR/tDSnTcL3LB32O2QhkgQmfn" + ]; + phpPackage = pkgs.php81; + }; +} diff --git a/hosts/web-arm/sites/gbv.cloonar.dev.nix b/hosts/web-arm/sites/gbv.cloonar.dev.nix new file mode 100644 index 0000000..5aa6971 --- /dev/null +++ b/hosts/web-arm/sites/gbv.cloonar.dev.nix @@ -0,0 +1,71 @@ +{ pkgs, lib, config, ... }: +let + domain = "gbv.cloonar.dev"; + dataDir = "/var/www/${domain}"; +in { + systemd.services."phpfpm-${domain}".serviceConfig.ProtectHome = lib.mkForce false; + + services.phpfpm.pools."${domain}" = { + user = domain; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 5; + "php_admin_value[error_log]" = "/var/log/$pool.error.log"; + "php_admin_flag[log_errors]" = true; + "php_admin_value[display_errors]" = true; + "catch_workers_output" = true; + "access.log" = "/var/log/$pool.access.log"; + }; + phpPackage = pkgs.nur.repos.izorkin.php74; + phpEnv."PATH" = lib.makeBinPath [ pkgs.nur.repos.izorkin.php74 ]; + }; + + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."/".extraConfig = '' + index index.php index.html; + try_files $uri $uri/ /index.php$is_args$args; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_buffer_size 32k; + fastcgi_buffers 8 16k; + fastcgi_connect_timeout 240s; + fastcgi_read_timeout 240s; + fastcgi_send_timeout 240s; + fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket}; + fastcgi_index index.php; + ''; + }; + users.users."${domain}" = { + isSystemUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + }; + users.groups.${domain} = {}; + + services.mysqlBackup.databases = [ "gbv_stage" ]; +} diff --git a/hosts/web-arm/sites/matomo.cloonar.com.nix b/hosts/web-arm/sites/matomo.cloonar.com.nix new file mode 100644 index 0000000..5f03a88 --- /dev/null +++ b/hosts/web-arm/sites/matomo.cloonar.com.nix @@ -0,0 +1,117 @@ +{ pkgs, lib, config, ... }: +let + domain = "matomo.cloonar.com"; + dataDir = "/var/www/${domain}"; +in { + systemd.services."phpfpm-${domain}".serviceConfig.ProtectHome = lib.mkForce false; + + services.phpfpm.pools."${domain}" = { + user = domain; + settings = { + "listen.owner" = config.services.nginx.user; + "pm" = "dynamic"; + "pm.max_children" = 32; + "pm.max_requests" = 500; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 2; + "pm.max_spare_servers" = 5; + "php_admin_value[error_log]" = "/var/log/$pool.php.error.log"; + "php_admin_flag[log_errors]" = true; + "php_admin_value[display_errors]" = true; + "catch_workers_output" = true; + "access.log" = "/var/log/$pool.access.log"; + }; + phpPackage = pkgs.php83; + phpEnv."PATH" = lib.makeBinPath [ pkgs.php83 ]; + }; + + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."~* ^.+\\.php$".extraConfig = '' + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + if (!-f $document_root$fastcgi_script_name) { + return 404; + } + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + fastcgi_buffer_size 32k; + fastcgi_buffers 8 16k; + fastcgi_connect_timeout 240s; + fastcgi_read_timeout 240s; + fastcgi_send_timeout 240s; + fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket}; + fastcgi_index index.php; + ''; + + ## serve all other files normally + locations."/".extraConfig = '' + index index.php index.html; + try_files $uri $uri/ /index.php$is_args$args; + ''; + + ## disable all access to the following directories + locations."~ ^/(config|tmp|core|lang)".extraConfig = '' + deny all; + return 403; # replace with 404 to not show these directories exist + ''; + + locations."~ /\\.ht".extraConfig = '' + deny all; + return 403; + ''; + + locations."~ js/container_.*_preview\\.js$".extraConfig = '' + expires off; + add_header Cache-Control 'private, no-cache, no-store'; + ''; + + locations."~ \\.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2)$".extraConfig = '' + allow all; + ## Cache images,CSS,JS and webfonts for an hour + ## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade + expires 1h; + add_header Pragma public; + add_header Cache-Control "public"; + ''; + + locations."~ ^/(libs|vendor|plugins|misc|node_modules)".extraConfig = '' + deny all; + return 403; + ''; + + ## properly display textfiles in root directory + locations."~/(.*\\.md|LEGALNOTICE|LICENSE)".extraConfig = '' + default_type text/plain; + ''; + + }; + users.users."${domain}" = { + isSystemUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + }; + users.groups.${domain} = {}; + + systemd.services."matomo-archive" = { + startAt = "*-*-* 23:00:00"; + serviceConfig = { + Type = "oneshot"; + User = "${domain}"; + ExecStart = "${pkgs.php83}/bin/php /var/www/${domain}/console --matomo-domain=matomo.cloonar.com core:archive"; + }; + }; + + services.mysqlBackup.databases = [ "matomo" ]; +} diff --git a/hosts/web-arm/sites/mehr-leistbaren-wohnraum-schaffen.at.nix b/hosts/web-arm/sites/mehr-leistbaren-wohnraum-schaffen.at.nix new file mode 100644 index 0000000..214f9bd --- /dev/null +++ b/hosts/web-arm/sites/mehr-leistbaren-wohnraum-schaffen.at.nix @@ -0,0 +1,65 @@ +{ pkgs, lib, config, ... }: +let + domain = "mehr-leistbaren-wohnraum-schaffen.at"; + dataDir = "/var/www/${domain}"; +in { + services.nginx.virtualHosts."www.${domain}" = { + enableACME = true; + forceSSL = true; + globalRedirect = domain; + }; + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."/".extraConfig = '' + index index.html; + ''; + + locations."~* \.(jpe?g|png)$".extraConfig = '' + set $red Z; + + if ($http_accept ~* "webp") { + set $red A; + } + + if (-f $document_root/webp/$request_uri.webp) { + set $red "''${red}B"; + } + + if ($red = "AB") { + add_header Vary Accept; + rewrite ^ /webp/$request_uri.webp; + } + ''; + + locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' + expires 365d; + add_header Pragma "public"; + add_header Cache-Control "public"; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + deny all; + ''; + }; + users.users."mehr-leistbaren-wohnraum" = { + isNormalUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWrkjt5+tIGAi0Q9ViFlFARGxMxoDaxI7lu1AtIlluhOXvJrX33roxV+PF+ky6ZQFcwd5xRy1HkXkfsBJVlRstrZXiqbP9DaSO3arSTQmiezSWgeLD9r3aktsPINgENkMBSUgURVRDaO0B/PA5MylOoijFaxmHEFMa8ZNYwKj/tWKt6+NI9UxUW3fSZXipOohvdzPxoD5YjjlyivtQCbfcpFa46Q08TIiUNEBnSTIKbDuVGgNtKXd5ELRtl7HRcT9iwPfmmVPHVMXREnVma47pABe+54Qrh6N8MzSJLOLJy/kRM2iw/ovxGEWE8rPqaoPszaEPxDEpEmRMyqNb5ZAuWG3NvUOiU5rijSvP8H9QVubJyNC4DHYYeBa1Kw2iAqnzdsneyHz01vVRQh7qa4Aonuzk2VfrW08dJbMC7p6tpvQgkdGLrwetgwZRqdGpbWhRV4s816tuoBFTmM3gDWr5R6CAPmzmykhTi8IbJ5LTua5t7+82wIMA026BNvRbndk=" + ]; + }; + users.groups.${domain} = {}; +} diff --git a/hosts/web-arm/sites/mehr-leistbaren-wohnraum-schaffen.cloonar.dev.nix b/hosts/web-arm/sites/mehr-leistbaren-wohnraum-schaffen.cloonar.dev.nix new file mode 100644 index 0000000..fdba151 --- /dev/null +++ b/hosts/web-arm/sites/mehr-leistbaren-wohnraum-schaffen.cloonar.dev.nix @@ -0,0 +1,60 @@ +{ pkgs, lib, config, ... }: +let + domain = "mehr-leistbaren-wohnraum-schaffen.cloonar.dev"; + dataDir = "/var/www/${domain}"; +in { + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."/".extraConfig = '' + index index.html; + ''; + + locations."~* \.(jpe?g|png)$".extraConfig = '' + set $red Z; + + if ($http_accept ~* "webp") { + set $red A; + } + + if (-f $document_root/webp/$request_uri.webp) { + set $red "''${red}B"; + } + + if ($red = "AB") { + add_header Vary Accept; + rewrite ^ /webp/$request_uri.webp; + } + ''; + + locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' + expires 365d; + add_header Pragma "public"; + add_header Cache-Control "public"; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + deny all; + ''; + }; + users.users."mehr-leistbaren-wohnraum-dev" = { + isNormalUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWrkjt5+tIGAi0Q9ViFlFARGxMxoDaxI7lu1AtIlluhOXvJrX33roxV+PF+ky6ZQFcwd5xRy1HkXkfsBJVlRstrZXiqbP9DaSO3arSTQmiezSWgeLD9r3aktsPINgENkMBSUgURVRDaO0B/PA5MylOoijFaxmHEFMa8ZNYwKj/tWKt6+NI9UxUW3fSZXipOohvdzPxoD5YjjlyivtQCbfcpFa46Q08TIiUNEBnSTIKbDuVGgNtKXd5ELRtl7HRcT9iwPfmmVPHVMXREnVma47pABe+54Qrh6N8MzSJLOLJy/kRM2iw/ovxGEWE8rPqaoPszaEPxDEpEmRMyqNb5ZAuWG3NvUOiU5rijSvP8H9QVubJyNC4DHYYeBa1Kw2iAqnzdsneyHz01vVRQh7qa4Aonuzk2VfrW08dJbMC7p6tpvQgkdGLrwetgwZRqdGpbWhRV4s816tuoBFTmM3gDWr5R6CAPmzmykhTi8IbJ5LTua5t7+82wIMA026BNvRbndk=" + ]; + }; + users.groups.${domain} = {}; +} diff --git a/hosts/web-arm/sites/module.paraclub.at.nix b/hosts/web-arm/sites/module.paraclub.at.nix new file mode 100644 index 0000000..cf17b07 --- /dev/null +++ b/hosts/web-arm/sites/module.paraclub.at.nix @@ -0,0 +1,44 @@ +{ pkgs, lib, config, ... }: +let + domain = "module.paraclub.at"; + dataDir = "/var/www/${domain}"; +in { + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."/".extraConfig = '' + index index.html; + try_files $uri $uri/ /index.html$is_args$args; + ''; + + locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' + expires 365d; + add_header Pragma "public"; + add_header Cache-Control "public"; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + deny all; + ''; + }; + users.users."${domain}" = { + isNormalUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwgjsgjxOSX4ZeLuhSq+JumnEa1bKS3fwlA8LDuxvOWXs2Zn4Hwa04ZuM59jzqifwGGMJOFxErm8+5oH2QQFa0wgg8zEG+2U1AzjMNk5+mxrhnLPGAMlnqXmkGi0Jj2nFwKaEM9kcO5UUqRP71BFdGtP74wRcaVpT4TTPzCQl1HTdwzmAOT+3yQ364kyAHXTwQOAjiFcSAlNfZ5C2eeNC642bv6Dfi6mMWi55tdNV6HUn7y2cbq8wscDG7gla8bN3xivuO6POWqyCpHtLxDhppLYJ28ZwqpcynRAXDnVYlT3DmPw1bDs/eBlkjauGR/oM8phka3No3cREBYpSWK7mJeqIIWSV0Z4dvFLeWh6MM4AVhX3HOW7jcxf2tUmpzre6S10HjXj3lLES7oJO4uOYoJWxaGcqFiUc9BOxqLN9FqECXuzfC0apCr0OYm5T2NsSmzlkBPzCa2EqBBI0u5XGcDKgpBA4gD8kuD+8Cj5DxPzXP+IdX1jhHRVsI5nucTvM=" + ]; + }; + users.groups.${domain} = {}; +} diff --git a/hosts/web-arm/sites/module.paraclub.cloonar.dev.nix b/hosts/web-arm/sites/module.paraclub.cloonar.dev.nix new file mode 100644 index 0000000..94a93ac --- /dev/null +++ b/hosts/web-arm/sites/module.paraclub.cloonar.dev.nix @@ -0,0 +1,45 @@ +{ pkgs, lib, config, ... }: +let + domain = "module.paraclub.cloonar.dev"; + dataDir = "/var/www/${domain}"; +in { + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."/".extraConfig = '' + index index.html; + try_files $uri $uri/ /index.html$is_args$args; + ''; + + locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' + expires 365d; + add_header Pragma "public"; + add_header Cache-Control "public"; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + deny all; + ''; + }; + users.users."${domain}" = { + isNormalUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwgjsgjxOSX4ZeLuhSq+JumnEa1bKS3fwlA8LDuxvOWXs2Zn4Hwa04ZuM59jzqifwGGMJOFxErm8+5oH2QQFa0wgg8zEG+2U1AzjMNk5+mxrhnLPGAMlnqXmkGi0Jj2nFwKaEM9kcO5UUqRP71BFdGtP74wRcaVpT4TTPzCQl1HTdwzmAOT+3yQ364kyAHXTwQOAjiFcSAlNfZ5C2eeNC642bv6Dfi6mMWi55tdNV6HUn7y2cbq8wscDG7gla8bN3xivuO6POWqyCpHtLxDhppLYJ28ZwqpcynRAXDnVYlT3DmPw1bDs/eBlkjauGR/oM8phka3No3cREBYpSWK7mJeqIIWSV0Z4dvFLeWh6MM4AVhX3HOW7jcxf2tUmpzre6S10HjXj3lLES7oJO4uOYoJWxaGcqFiUc9BOxqLN9FqECXuzfC0apCr0OYm5T2NsSmzlkBPzCa2EqBBI0u5XGcDKgpBA4gD8kuD+8Cj5DxPzXP+IdX1jhHRVsI5nucTvM=" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0j0teJ1v7Ke2NYVWlHOd4sYBiE8uLHAtY+Myi7g267" + ]; + }; + users.groups.${domain} = {}; +} diff --git a/hosts/web-arm/sites/optiprot.cloonar.dev.nix b/hosts/web-arm/sites/optiprot.cloonar.dev.nix new file mode 100644 index 0000000..ebd841a --- /dev/null +++ b/hosts/web-arm/sites/optiprot.cloonar.dev.nix @@ -0,0 +1,15 @@ +{ pkgs, lib, config, ... }: +{ + services.webstack.instances."optiprot.cloonar.dev" = { + authorizedKeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGNI6KmHlpwR8+oSm8fPdeE68kJ70oQ9EkYfhf6pqLT4Kg61WJtcF0Wl1leirnO87a30rxjK1cm69jqED6paAg8Hxf7u9+M1i+vNDVS9aZWU12rG3P8mBVW3oJFyi4PmmXNFdzc+nJTpIZVDdQqoV6I6ZsXupNvx8BaZgP/I+bMBU9+7vCvdsUVN/10+5l5FZOHGNNvDWFQKt1uGNY2xAfpNmxepLOMnC50ARfrR5UU777WxBoPBi12EXJbNbiv64JQ6Zz6/Aq6QjFaOPz+aX06uGuHWQPFCp3bw9Mc2QoO9Z/gGekDU1zzHzpxgS+MQgnuWCRJ5U6PhYSgCoQ3iUsvdiHah8LpJRtyZj1UcIeU0932sj7rxwbuGJHsn2QZAlGiIhumY3PatoOOxpb+05Q29Id5Ibf1rjH/zZZMD3LteWkgaLYVs66nbjt0HvIHiFsT2SBNjOfpL39vRVqsbM+BQ/oKmQrNIy7BzO/yzwKqb4ahtzEdzO0yKtgGuEYzyM=" + ]; + locations."~ \"^/en/products/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = '' + try_files $uri $uri/ /en/products/index.php?$args; + ''; + locations."~ \"^/de/produkte/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = '' + try_files $uri $uri/ /de/produkte/index.php?$args; + ''; + phpPackage = pkgs.php81; + }; +} diff --git a/hosts/web-arm/sites/optiprot.eu.nix b/hosts/web-arm/sites/optiprot.eu.nix new file mode 100644 index 0000000..e5295c0 --- /dev/null +++ b/hosts/web-arm/sites/optiprot.eu.nix @@ -0,0 +1,15 @@ +{ pkgs, lib, config, ... }: +{ + services.webstack.instances."optiprot.eu" = { + authorizedKeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGNI6KmHlpwR8+oSm8fPdeE68kJ70oQ9EkYfhf6pqLT4Kg61WJtcF0Wl1leirnO87a30rxjK1cm69jqED6paAg8Hxf7u9+M1i+vNDVS9aZWU12rG3P8mBVW3oJFyi4PmmXNFdzc+nJTpIZVDdQqoV6I6ZsXupNvx8BaZgP/I+bMBU9+7vCvdsUVN/10+5l5FZOHGNNvDWFQKt1uGNY2xAfpNmxepLOMnC50ARfrR5UU777WxBoPBi12EXJbNbiv64JQ6Zz6/Aq6QjFaOPz+aX06uGuHWQPFCp3bw9Mc2QoO9Z/gGekDU1zzHzpxgS+MQgnuWCRJ5U6PhYSgCoQ3iUsvdiHah8LpJRtyZj1UcIeU0932sj7rxwbuGJHsn2QZAlGiIhumY3PatoOOxpb+05Q29Id5Ibf1rjH/zZZMD3LteWkgaLYVs66nbjt0HvIHiFsT2SBNjOfpL39vRVqsbM+BQ/oKmQrNIy7BzO/yzwKqb4ahtzEdzO0yKtgGuEYzyM=" + ]; + locations."~ \"^/en/products/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = '' + try_files $uri $uri/ /en/products/index.php?$args; + ''; + locations."~ \"^/de/produkte/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = '' + try_files $uri $uri/ /de/produkte/index.php?$args; + ''; + phpPackage = pkgs.php81; + }; +} diff --git a/hosts/web-arm/sites/paraclub.at.nix b/hosts/web-arm/sites/paraclub.at.nix new file mode 100644 index 0000000..e5a4ba3 --- /dev/null +++ b/hosts/web-arm/sites/paraclub.at.nix @@ -0,0 +1,43 @@ +{ pkgs, lib, config, ... }: +let + domain = "paraclub.at"; + dataDir = "/var/www/${domain}"; +in { + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."/".extraConfig = '' + index index.html; + ''; + + locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' + expires 365d; + add_header Pragma "public"; + add_header Cache-Control "public"; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + deny all; + ''; + }; + users.users."${domain}" = { + isNormalUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbSqS0TrJnmihjuIwLY74jKmuErF5jarQeVEQbnl7k8DDfVXP6DKybK2wVRIrAMN2VQzgXWWyRj2wNZrvq1whZon6CrEDxDVN/VDGS99pazczbrypmycVnPsevtS3wrEhiQrwCplkPxoZGlSAPGtx3SOzql+iG7xrhJfuPDCgwIboKf8Tir170aflH7ZfXqUX+V5QMbOn+roT8Tj7vUd/za3o3okJQrW3NUHT6/0TDkGsn+lJp30e94GF5RDLUJgM8pBf45WM94dv1uEfRI7+AQJZRta3X2VNSbb8I2dPNLmgxYQaW1VtwGP/RfxoFESdQubN74p+VxNeP7z5AFiZfhEYb0yiAwXiavN7fStXX/MKXxMicS2fdGzieXLWpLol70xx19492kOnlzoiPKJRosNw8N60R+AkbPYdwl5z5uKDn1ve79YaWB3KWS5Pcr9IT1wZAc48UePL6QtcDppHe8tUflPP5h/LCKOmAioWG59YF5pKfYNLSXJzmiudzzrs=" + ]; + }; + users.groups.${domain} = {}; +} diff --git a/hosts/web-arm/sites/paraclub.cloonar.dev.nix b/hosts/web-arm/sites/paraclub.cloonar.dev.nix new file mode 100644 index 0000000..a18d6b3 --- /dev/null +++ b/hosts/web-arm/sites/paraclub.cloonar.dev.nix @@ -0,0 +1,44 @@ +{ pkgs, lib, config, ... }: +let + domain = "paraclub.cloonar.dev"; + dataDir = "/var/www/${domain}"; +in { + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."/".extraConfig = '' + index index.html; + ''; + + locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' + expires 365d; + add_header Pragma "public"; + add_header Cache-Control "public"; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + deny all; + ''; + }; + users.users."${domain}" = { + isNormalUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbSqS0TrJnmihjuIwLY74jKmuErF5jarQeVEQbnl7k8DDfVXP6DKybK2wVRIrAMN2VQzgXWWyRj2wNZrvq1whZon6CrEDxDVN/VDGS99pazczbrypmycVnPsevtS3wrEhiQrwCplkPxoZGlSAPGtx3SOzql+iG7xrhJfuPDCgwIboKf8Tir170aflH7ZfXqUX+V5QMbOn+roT8Tj7vUd/za3o3okJQrW3NUHT6/0TDkGsn+lJp30e94GF5RDLUJgM8pBf45WM94dv1uEfRI7+AQJZRta3X2VNSbb8I2dPNLmgxYQaW1VtwGP/RfxoFESdQubN74p+VxNeP7z5AFiZfhEYb0yiAwXiavN7fStXX/MKXxMicS2fdGzieXLWpLol70xx19492kOnlzoiPKJRosNw8N60R+AkbPYdwl5z5uKDn1ve79YaWB3KWS5Pcr9IT1wZAc48UePL6QtcDppHe8tUflPP5h/LCKOmAioWG59YF5pKfYNLSXJzmiudzzrs=" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM6QT0k58R90NrmDIjP1bNalHnwr9Y++tOhV9kRUVivI" + ]; + }; + users.groups.${domain} = {}; +} diff --git a/hosts/web-arm/sites/stage.korean-skin.care.nix b/hosts/web-arm/sites/stage.korean-skin.care.nix new file mode 100644 index 0000000..03b73ef --- /dev/null +++ b/hosts/web-arm/sites/stage.korean-skin.care.nix @@ -0,0 +1,61 @@ +{ pkgs, lib, config, ... }: +let + user = "stage_korean_skin_care"; + domain = "stage.korean-skin.care"; + dataDir = "/var/www/${domain}"; +in { + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."/".extraConfig = '' + index index.html; + ''; + + locations."~* \.(jpe?g|png)$".extraConfig = '' + set $red Z; + + if ($http_accept ~* "webp") { + set $red A; + } + + if (-f $document_root/webp/$request_uri.webp) { + set $red "''${red}B"; + } + + if ($red = "AB") { + add_header Vary Accept; + rewrite ^ /webp/$request_uri.webp; + } + ''; + + locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' + expires 365d; + add_header Pragma "public"; + add_header Cache-Control "public"; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + deny all; + ''; + }; + users.users."${user}" = { + isNormalUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLGkR8JVFtyFnsXTooT/krORpPDdnFk612GW1agaOeG" + ]; + }; + users.groups.${user} = {}; +} diff --git a/hosts/web-arm/sites/stage.myhidden.life.nix b/hosts/web-arm/sites/stage.myhidden.life.nix new file mode 100644 index 0000000..1596040 --- /dev/null +++ b/hosts/web-arm/sites/stage.myhidden.life.nix @@ -0,0 +1,49 @@ +{ pkgs, lib, config, ... }: +{ + services.webstack.instances."stage.myhidden.life" = { + enableDefaultLocations = false; + enableMysql = true; + authorizedKeys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmLPJoHwL+d7dnc3aFLbRCDshxRSQ0dtAVv/LYBn2/PBlZcIyVO9drjr702GL9QuS5DQyjtoZjSOvv1ykBKedUwY3XDyyZgtqjleojKIFMXkdXtD5iG+RUraUfzcFCZU12BYXSeAXK1HmIjSDUtDOlp6lVVWxNpz1vWSRtA/+PULhP+n5Cj7232Wf372+EPfQPntOlcMbyrDLFtj7cUz+E6BH0qdX0l3QtIVnK/C1iagPAwLcwPJd9Sfs8lj5C4g8T9uBJa6OX+87lE4ySYY+Cik9BN59S0ctjXvWCFsPO3udQSC1mf33XdDenc2mbi+lZWTfrN8S2K5CsbxRsVBlbapFBRwufEpN4iQnaTu1QmzDrmktBFAPJ2jvjBJPIx6W3KOy3kUwh9WNhzd/ubf9dFTHzkTzgluo/Zk6/S8fTJiA4rbYKSkLw9Y265bvtR1kfUBLKSa/Axe5dkKysX1RNKfTJEwbh2TfIS3apQPZZc5kIEWfeK/6kbQX7WJZFtTs=" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJW5N11DiAUBfjPFCcFX3CRzF6zAWD2sxMC1+IGC73/2" + ]; + extraConfig = '' + add_header X-Frame-Options "SAMEORIGIN"; + add_header X-Content-Type-Options "nosniff"; + + index index.php + + charset utf-8; + + error_page 404 /index.php; + ''; + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + locations."/robots.txt".extraConfig = '' + access_log off; + log_not_found off; + ''; + + locations."/".extraConfig = '' + try_files $uri $uri/ /index.php$is_args$args; + ''; + phpPackage = pkgs.php82.withExtensions ({ enabled, all }: + enabled ++ [ all.imagick ]); + + phpOptions = '' + upload_max_filesize = 50M + post_max_size = 50M + ''; + }; + + systemd.services."stage-myhidden-life-schedule" = { + startAt = "*:0/1:0"; + serviceConfig = { + Type = "oneshot"; + User = "stage_myhidden_life"; + ExecStart = "${pkgs.php83}/bin/php /var/www/stage.myhidden.life/artisan schedule:run"; + }; + }; +} diff --git a/hosts/web-arm/sites/tandem.paraclub.at.nix b/hosts/web-arm/sites/tandem.paraclub.at.nix new file mode 100644 index 0000000..362b359 --- /dev/null +++ b/hosts/web-arm/sites/tandem.paraclub.at.nix @@ -0,0 +1,45 @@ +{ pkgs, lib, config, ... }: +let + domain = "tandem.paraclub.at"; + dataDir = "/var/www/${domain}"; + user = builtins.replaceStrings ["." "-"] ["_" "_"] domain; +in { + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."/".extraConfig = '' + index index.html; + try_files $uri $uri/ /index.html$is_args$args; + ''; + + locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' + expires 365d; + add_header Pragma "public"; + add_header Cache-Control "public"; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + deny all; + ''; + }; + users.users."${user}" = { + isNormalUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDpezoJfaqSlQKhbzIRxQysmSmU5tih0SGFh4Eiy3YjfxiJSCRCuVTBCUmnhDCPsJZK+5xEDGarO8UfiqxZfxEyEL5d7IcRQJ/uRSFhYzByGbkziLM760KYqBzaE2Siu+zk625KOm6BN9qWGZdirejwf1Ay9EYmUdNiCMBBFLkPaQkZ8IEuMavf1wHEiZLas25eK7oJWHYKltcluH05QEF+5ODu88nlSpFlz2FjxJSbLDf7qeUba/L2OL124dTU5NIDNzwZLCKjpp8aTYzTaoox7KXUVRmy1X4Or61WhSxw9+LGyrAZLsW+l0a4FgY17V5HnF5/jf8eOpkuVdwtd29KCheJ4BdUfomV8vEt6S0hUP66VqJn6MliuL+10KM6TjLnjg0McPp1LPuSFRoLzO0YetTZzeVc0oBIr9Z3vjm6jt1dYcUtaydn/fc+FgoqpIOLz6EOGCz/CmyaV4rLk2BFKqtx5GP1wbP36hVkyWpREbEMILpFKDOyp21fC67mb0M=" + ]; + }; + users.groups.${user} = {}; +} diff --git a/hosts/web-arm/sites/tandem.paraclub.cloonar.dev.nix b/hosts/web-arm/sites/tandem.paraclub.cloonar.dev.nix new file mode 100644 index 0000000..c7af300 --- /dev/null +++ b/hosts/web-arm/sites/tandem.paraclub.cloonar.dev.nix @@ -0,0 +1,46 @@ +{ pkgs, lib, config, ... }: +let + domain = "tandem.paraclub.cloonar.dev"; + dataDir = "/var/www/${domain}"; + user = builtins.replaceStrings ["." "-"] ["_" "_"] domain; +in { + services.nginx.virtualHosts."${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = "${dataDir}"; + + locations."/favicon.ico".extraConfig = '' + log_not_found off; + access_log off; + ''; + + locations."/".extraConfig = '' + index index.html; + try_files $uri $uri/ /index.html$is_args$args; + ''; + + locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = '' + expires 365d; + add_header Pragma "public"; + add_header Cache-Control "public"; + ''; + + locations."~ [^/]\.php(/|$)".extraConfig = '' + deny all; + ''; + }; + users.users."${user}" = { + isNormalUser = true; + createHome = true; + home = dataDir; + homeMode= "770"; + #home = "/home/${domain}"; + group = "nginx"; + openssh.authorizedKeys.keys = [ + "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDpezoJfaqSlQKhbzIRxQysmSmU5tih0SGFh4Eiy3YjfxiJSCRCuVTBCUmnhDCPsJZK+5xEDGarO8UfiqxZfxEyEL5d7IcRQJ/uRSFhYzByGbkziLM760KYqBzaE2Siu+zk625KOm6BN9qWGZdirejwf1Ay9EYmUdNiCMBBFLkPaQkZ8IEuMavf1wHEiZLas25eK7oJWHYKltcluH05QEF+5ODu88nlSpFlz2FjxJSbLDf7qeUba/L2OL124dTU5NIDNzwZLCKjpp8aTYzTaoox7KXUVRmy1X4Or61WhSxw9+LGyrAZLsW+l0a4FgY17V5HnF5/jf8eOpkuVdwtd29KCheJ4BdUfomV8vEt6S0hUP66VqJn6MliuL+10KM6TjLnjg0McPp1LPuSFRoLzO0YetTZzeVc0oBIr9Z3vjm6jt1dYcUtaydn/fc+FgoqpIOLz6EOGCz/CmyaV4rLk2BFKqtx5GP1wbP36hVkyWpREbEMILpFKDOyp21fC67mb0M=" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILamV0WQER05HbpFlKjMBSv/mN3d1kzS0Jxf8O5p/T1L" + ]; + }; + users.groups.${user} = {}; +} diff --git a/hosts/web-arm/utils b/hosts/web-arm/utils new file mode 120000 index 0000000..6b18391 --- /dev/null +++ b/hosts/web-arm/utils @@ -0,0 +1 @@ +../../utils \ No newline at end of file diff --git a/papa-nb.md b/papa-nb.md deleted file mode 100644 index abc7f57..0000000 --- a/papa-nb.md +++ /dev/null @@ -1,7 +0,0 @@ -excel -überweisungen -email - outlook -remote desktop -cewe fotobuch - - diff --git a/utils/modules/lego/secrets.yaml b/utils/modules/lego/secrets.yaml index f35af11..3fac7e7 100644 --- a/utils/modules/lego/secrets.yaml +++ b/utils/modules/lego/secrets.yaml @@ -8,92 +8,101 @@ sops: - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBva0ZWWG01TlpTby81NzFR - elJvRnZGcmpvZzlra05aNFQvL2ZuZnRYcHdRCkI0Ylp3dENWQ1p0ZWJOckk4UHpJ - aVRyUnd2MVRBKysySm45MVZNUm1ScWsKLS0tIDlBTm5JY29MMTdKUHZSMUM5M1ow - QkRXdE1BakZWUjlxTDByQ2IreFJ0WW8KPRgox+gVV4JsrVcBlaNT8MM32TWLvjFy - quGn6+RAlqH1dTxF7zAWP9ArotxK0zWwdJe3THp/so1PzfHzG153Og== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMXJwSnlPZSswdE0zcjht + SVU5QzhkQWhQQndKWUFHeW5PRHFkTXB1YkZ3CjNONDJ4dmNmdjZDbUFWbmlibitu + eDZzNDd2VysvNTJHVTJtUkhRb0h2SEEKLS0tIFhzZ2VjK2EyUTRxWTQ1VVAyT1BO + S1dmN3RKdmNlQlMxWDJXeGhvV01JWHMK5vekesz0Rul/62RL3G/vcDF9ZmO5TIPY + YdAzZrjAt5Z87kobunkZbey0CJIBq25eIidg8PdbGmrx6VFoutns9Q== -----END AGE ENCRYPTED FILE----- - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJL3NZYjAxU1hXQTYyL2xw - OE9nUlZWMmxqOTBHQkptRVR4NkZmRkZaQ21NCjBsMFlSdzk0NmNoTDVBYWZOTkpK - U2wyUDdxRnF6SWtzRUZBTGwvZ0hVaHcKLS0tIGR3Z1FSOVZNUkJCZmpVZy9EVS9M - UjJkTnQxZUJFaGZzZ0M3WTVIeU1SdVUKkpEonSeadfMW2buitIkTvo096uyNAuM/ - gHAmWaN/I5cUTkg1NIeboKLYhkKt2gEuAKaOsu1JuUvsBBtehHOpJg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDMmxHZnJjVHp0Vks2WG51 + N1BGdjI5bzRUWDVyQmRjWVYxWktFSlB0TGcwCncxeE1uSTlRTzNjL2dMOUhJbmJI + bFNTaUYrTlBUL29rbEZDdkNISjlOSkEKLS0tIGNiM2RFRXhUV3RmY0M0N0UrTE41 + M0liVXlsMFJzVmR2T1hHUUt0d0VSbmsKANZB5eDBTVhG6jPA1mUQyN9VEWC3V4uC + eBXdxs79ZSw8MHzqVpyCLh6+ztY4oVrw2dkMYVlsK1Oe/9fEMeH4+g== -----END AGE ENCRYPTED FILE----- - recipient: age106n5n3rrrss45eqqzz8pq90la3kqdtnw63uw0sfa2mahk5xpe30sxs5x58 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0cnIvTXZGdFN6bjNPbUVN - Z3RYdFdVamc2ZHJtanNYdTZWQkV5YjQ1YVc0CkVPUHZZRms2M3VSU2NjVzNUaTJY - ZnZtRmx0OThIR3ZtekRlZTUycFFHb0UKLS0tICtib0xqelNibUMwTmFzS2dFTFBU - bnU2ZzRGcVNLajI1SlpVOEMrQzNhRXcKxG0zj45vFrARUsWm4pkkxm7UcEVfy15w - sCzUFK7MSzYMbcUAeuSSJKLeJV9h2O0Nd4kRV8jO9dTTcT9xhIftzw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHUWFPNTB6MG9iSGRNSTlZ + c1R6TGtOTW94eE9mS0ZCSjRkUEloNkF5TnlrCmJjaUIxU0dKaVJub2NQTlV2Uksy + Rm9NaDBWN2VuNEFIdUNrdFNBbDdsdW8KLS0tIGF3TExLK2Q3VEs2YWQvVUxVbWlr + em9hQXlSZ2VKZkN4MVMzWFNQOFJvWGMKc567TYejDxyH4Jx2iQvPpQkeyDA4w0of + ZIlW0vfJE61pkuWJs6lQ2F+0VzMHmpIsC2wR4p4+JfQEES3jCG3P3w== -----END AGE ENCRYPTED FILE----- - recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBObU9iL3pCam9kUjhxNWZR - QUtxUFpnTlVJT25TNmZqbVdOT05jZjZmcTFjCmwwa2pDb3o3SlA5b0FJTE42Lyt2 - aUNUSWlsOGVUT3dNRnR3cE9FL1EzenMKLS0tIHg0WE0yOVkwZml5K2YxUTZtaElI - OUNxdUgyS21ZTFZoelVxRXRvakI5WUkK1HiQQqW7YT+Ra9fgpIU7/lKqKlT5KR0L - /jIVJxR61k9hVMjnh4s0ttKJc0UMNSqOej1SljaNXcH+c1wAckGl8g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuYk9LQ1RrUVp2U1RDekxR + OWZXcmJsNWdGK0pnRDhJempoSWlUc2t1elVNCnoyRE5RRGJ6QkYzZ1lOc3pveGty + aUNKczVDamJuc3lRVm5Ca3Z6bWViYXMKLS0tIHZwTDd3emVLMzQ1QjNuY3EvZXVQ + emt1K21WNndYbnh4b1c0SERqTEJjNHMKKEUxjSAVO53bL9jGkbLn8xoj5motIlC9 + d2UvlsPGU6Vi6zdg6ugf58WMD/pgr0NjmVFL0nk7XmNL19+eBuDPqw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1gjm4c3swt8u88e36gf2qlg3syxfc0ly94u64c42f2tsf24npw4csa6e4fw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzTGVCOTlJQkZ1WDRkaHh6 + dUlEcVBhMDRmZjJYdHdpUUhyZkxsaXFLd2dBCnZMVFhudGJTNmpDWEFEM0pRM3JJ + cURqLzdsMHdxRG9oNGhXOE1VU1NCRmcKLS0tIGJodWoyYlhIQzBMRnRKTzFPckll + YjM5cGFFWlZocUs3dXRSaHJDYndCeEEK50eynm0a4FYdT+BTB1mj/BXu/sXAGYnk + jrWzH2HMdQARszniSHflguIOLo/oVCefF0EbAWyEa5XbpSVyRyYQxw== -----END AGE ENCRYPTED FILE----- - recipient: age1ezq2j34qngky22enhnslx6hzh4ekwk8dtmn6c9us0uqxqpn7hgpsspjz58 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNMVpjK2ZYT0c3dURKY3Zn - ZUFrY29kTGQrT1d5Kzh3eTcreUpMTlNERVRRCll4NHpmdTN4bHFvdlMramJaemdM - VGNPQlZMcmdLQngyUC9LUXFYa25CNTAKLS0tIHRBMlJHS3duVnMwY0Q3ZDZWMzVQ - UmRGNHRpQjhhSzZqbTljVERqRHZWekkKyFju3iGm7ebnyYkwj23ES2hUQmjNOcUt - 4pBdZQe37zhaAspSTmLBfAnEITDh+ZSaOEmIZgExnQk38hB0Ahq9mQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6K0dNUlQ1UVBTVUJsRXBu + cVY4NDYwUTUwaTVYTlZaNy9mdHUvbXpOVlJNCnRHanBuVkJMbEkvUSsyU2gwd3R2 + RG5IM2c4N2w1UjZVWG9QbzhyRTNyd00KLS0tIDVVOE5FZlNYaGsxdHJ4RUlTRjYz + Z0xuVVAzemF6b3dBZGNYdFRUdktYR1EKX7QXdIGBry3j1QfFDGqYFGBVo84NcW4B + wz8ijaCnFb8FR6+PIOfXe44KGXgpqelUP2KjGyo8XbBgFzrHH+BX4A== -----END AGE ENCRYPTED FILE----- - recipient: age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsUitId2REWVg0N1FEa0Z4 - ZEJaTGZDRDMvR0J6TjNHVkZhU0xYc0NVYlVRCkRPdU9ucW1mMnhHcDIrUG8wdTBz - dDBNclUwRi9jdTNtV1FTL3lvTDV6aG8KLS0tIEJmeklxTEpYYUI1aVkrTDRCU1pT - UWRQNTEyMVlHRHBvSlRDRzErQSt2TUkKgLNNvXQD4U2q2A+b5+9COlnxDc9jLFWE - xDURstl4BjNPIp3pNkiQ+qQsWgH430hsOPvokb2HTFmmu2872YwC0Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVmpyQ281MHl3L1k2aVls + UDBXbnNqa3pIZEs1TXFCanphY2NCcmdLUVU4CmVOZ3FWT0ptOEE0Y1NPQXlTS0Q3 + QVFpazNmMkx1Zkp2eXR2RXZEQjc5MU0KLS0tIGxIRmtjNllrbmVFZVZWZ21VNlZC + WmZKNFBzTkNBNlJkSmRXRWpqdk9HMlUKYeLz0i+P1i6zo8DT/AX+b81vWoQ8c6I7 + p4xBmiGr+wvtAcA8viR4q65F3ZfFxY5GOsEtvtiSROj7Jcr/TIi+iA== -----END AGE ENCRYPTED FILE----- - recipient: age1azmxsw5llmp2nnsv3yc2l8paelmq9rfepxd8jvmswgsmax0qyyxqdnsc7t enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHcTB2eGRUM0gxa3QyTG9y - eW0xVmg2UHRmdGRPT1U5a1crZVJCR1o3YVVzCm9uTmg4aUF4TXkrdFB2eDVENkNx - YWtqU3pEZzhnU3BocUdzbTYzaTVhR28KLS0tIGxDZGoxcmhHVHdQOHZDd1M0Si94 - bThMeHp6Zm55RG9MTTd2ajVxdTZtN0UKedZQO8bhfzCz1Nq4ajFq5zw0fTS4jN0K - nJ56i0J+T6rOx+iS8V2tfsf4eEbWT5cxio2RvaDQs3X+t4Agg4QNVQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDY0pvTEhPVnY3U3BrNENl + NTE3S0NHQmVMRFc4b0VoRXp1ZEtkZnBseGtNCjc1ZWhDeWZmZHR1cHYyaEFGQm00 + dXE1WXZFd3FzcEJpSzcrQ2x2LzNUUkkKLS0tIGhhRW9RNk5Da21JdElMd1kyd1RQ + VVVrYUJmamdnU1BZK09qN2pqWWZyV2sKXu0CGOeSxi8KXvJbZ85KlmhYez7LflaA + PPiJbrbvVLR5Ui18zOZFAUewqKANTS15ut75V3rUoa2JVeSfpi617g== -----END AGE ENCRYPTED FILE----- - recipient: age1zkzpnfeakyvg3fqtyay32sushjx2hqe28y6hs6ss7plemzqjqa5s6s5yu3 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFR1dvU3JGRFZYMzlqN1BS - YmNyb2xibWZVYTluSlhpTExIYkRvVnhlcDAwCnAvbTJYblFTZmNMaVVOQ21mL0hY - aE56czFXY2tJa3BLemtYQXFleWtrVHcKLS0tIEZ6WjdrK01haFk2L3VsS0RDSFdm - K2JzcFl4ZUZseFcwdmo0YmpBNXVQV1UKdFHcxBWuYApHcqkwzG++tQcW6Y6Vn7W7 - E4dZXed5h+CkLRBTUKMLPD+Lh55odSoOfJBL3OrqUGQT0Wj0Zv6BnA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQN0JLWlFLRUdkT0Z4MmlF + R2pMNktUR1BPNG0xdmp5VGVKcFVCYW1iZldzCjBXdXFlaVRVYmNYU2FKb0I2WXp5 + V21YTUxWTytTbUZ6OGVoaVhaZjlNKzAKLS0tIGlrRGVtUjM5OUNUZkxtcE5RcFBF + VGJ0V0YwS08zQW1Ua0dESmtWNjNZbGsKQ2eAGtCydscSQvLfHBxtUJyPgxNymWyT + wcMty732aWZw/uroJYYcrlfTm3q5Qs4+1mT57sxGBiL2XE6ruWdKgg== -----END AGE ENCRYPTED FILE----- - recipient: age14uarclad0ty5supc8ep09793xrnwkv8a4h9j0fq8d8lc92n2dadqkf64vw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNS3RIUm16OWF4ZTUzWC9l - NTdMYTg5ejZENFlSdDlreFRuaU1sT3pxR1VjCnloZkNpVEM5V1h4Y2QxMWhkT2xq - NkdiM1YzRkpweFY3QzBtNFgzT3hyU2MKLS0tIEhtenk5UlJGMTVmSzEvdlAyRDIr - YWd5dnZwSlp0T0lzOXJtRUlXWTUvRFkK12z9jv5v65LTpD2opIEQ/FlNPjyIGyo1 - VKLaPg0MSIDxtqNZ8RSzWrRev+7VAlCZCWGtIrqtkABeRIHY0Qassw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkN0R6Y3JPS2tRcnB0VFBo + YzNNaVhodERUcnlTTmtNc2tzcy8yS0x5R0RBCmJtb2RMMkFjdUd3OUc2MFZoZnU4 + M0hGUW5YU000c09zR1hHZUs3cUVqOTgKLS0tIEFsVENreWcrZCtiNjg1YS9hVHpQ + WGVNNVZOV0JNQllpUnNSdHJiTDdOWFkKcwPzK8difry1xwjHZkOLDNcUaPUd1RCo + QeW8SPusotYscSQmVckxOUppdhpewF95isfCdoy4JtVulkNQCOJJVg== -----END AGE ENCRYPTED FILE----- - recipient: age1wq82xjyj80htz33x7agxddjfumr3wkwh3r24tasagepxw7ka893sau68df enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGS2QyZFA5cmY1YjNnSzZX - SnM3M21mY0FHZXpLS3d0Zk5XUC9VVFFzWmlRCjFVU2Z1TjJNYmFRUVB1NHYvM1p3 - ZWxzN0NTdXJ6TlFtSzJFcUtzYWF4YXcKLS0tIHhlVCthYVJqa2xYbmE4YzVLZTht - cE51bExUMzloUnpSUS8zRm9QTjBIODgKaSaWFxjDn9jmEu2B35AyVJVDtI/2WT31 - NuyhLAn3kE79MsT1CAE5HTTilmcKi9n8gULjv6ii1Nd+F6MUfBmmBA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkRHMrMDdLSEhLUjliblhB + WUFZTUkrOEFnRkl5a21RaXhoMnJRc3lDRldvCk4wZ1ZJaXRxaEVNYTVwOFZVcUNH + cDl6QThwTVhXMVdRY3h4R0hXSDJDLzAKLS0tIEppRFJMK2Y3dDZ2eTZPblNxQnA2 + S1hyR1VxNFJkRnp0aDI0aUR1cHI1bGcKVVpd18ll/IsHjYajG4ziu1jfn5px+I/y + s2eWJY9CAHAFStl0MV8AoBWpZ+KoeMbBDZ1HXwK8UBZhCsjm0nnyfw== -----END AGE ENCRYPTED FILE----- lastmodified: "2022-11-09T07:12:13Z" mac: ENC[AES256_GCM,data:gqsD5gTtE5ZqWzWKAAIscecvIsGSC9j4Cnbik6Yk7Jf7Z5/NIxbkInzDsLmlU3ObbLZAhGAlOAKIrUVy37rCcEZ+I04ICXK1dmUdsVud6E4SvTdDjh9qlXTbEkcDCY2YqXlTuQl6IZyveaPuF6fRe1FMh8JEpDv/foZTl8+AuQQ=,iv:+nV6YW9m1B0qo7xbB1lw9dgiQ877GQ6OxMqjk7lei10=,tag:NmeSwBWRKpqlwZxYYC7trg==,type:str] diff --git a/utils/overlays/packages.nix b/utils/overlays/packages.nix index f34a9ed..4271602 100644 --- a/utils/overlays/packages.nix +++ b/utils/overlays/packages.nix @@ -3,5 +3,7 @@ self: super: { ykfde = (super.callPackage ../pkgs/ykfde { }); sysbox = (super.callPackage ../pkgs/sysbox.nix { }); omada = (super.callPackage ../pkgs/omada.nix { }); + creality-print = (super.callPackage ../pkgs/creality-print.nix { }); + openaudible = (super.callPackage ../pkgs/openaudible.nix { }); wow-addon-manager = (super.callPackage ../pkgs/wow-addon-manager { }); } diff --git a/utils/pkgs/creality-print.nix b/utils/pkgs/creality-print.nix new file mode 100644 index 0000000..cd0bb42 --- /dev/null +++ b/utils/pkgs/creality-print.nix @@ -0,0 +1,15 @@ +{ appimageTools, fetchurl }: +let + pname = "creality-print"; + version = "4.3.7.6627"; + + src = fetchurl { + url = "https://file2-cdn.creality.com/file/05a4538e0c7222ce547eb8d58ef0251e/Creality_Print-v4.3.7.6627-x86_64-Release.AppImage"; + # nix-prefetch-url --type sha256 --name Creality_Print-v4.3.7.6627-x86_64-Release.AppImage https://file2-cdn.creality.com/file/05a4538e0c7222ce547eb8d58ef0251e/Creality_Print-v4.3.7.6627-x86_64-Release.AppImage + # nix-hash --type sha256 --to-sri + sha256 = "sha256-WUsL7UbxSY94H4F1Ww8vLsfRyeg2/DZ+V4B6eH3M6+M="; + }; +in +appimageTools.wrapType2 { + inherit pname version src; +} diff --git a/utils/pkgs/openaudible.nix b/utils/pkgs/openaudible.nix new file mode 100644 index 0000000..053df78 --- /dev/null +++ b/utils/pkgs/openaudible.nix @@ -0,0 +1,16 @@ +{ appimageTools, fetchurl }: +let + pname = "openaudible"; + version = "4.4.3"; + + src = fetchurl { + url = "https://github.com/openaudible/openaudible/releases/download/v${version}/OpenAudible_${version}_x86_64.AppImage"; + # nix-prefetch-url --type sha256 --name Creality_Print-v4.3.7.6627-x86_64-Release.AppImage https://file2-cdn.creality.com/file/05a4538e0c7222ce547eb8d58ef0251e/Creality_Print-v4.3.7.6627-x86_64-Release.AppImage + # nix-hash --type sha256 --to-sri + sha256 = "sha256-iTxN+SSGddbddtcqx2u69kEJYtSCLW7DOxu0HDYHfz0="; + }; +in +appimageTools.wrapType2 { + inherit pname version src; + extraPkgs = pkgs: [ pkgs.webkitgtk pkgs.glib-networking ]; +}