add zammad to fw vm, add web-arm machine

hosts/fw.cloonar.com/configuration.nix

@@ -25,9 +25,18 @@
     ./modules/ddclient.nix
     ./modules/wol.nix
 
+    # microvm
+    ./modules/microvm.nix
+    ./modules/gitea-vm.nix
+
+    # web
+    ./modules/web
+
     # git
     ./modules/gitea.nix
     # ./modules/fwmetrics.nix
+
+    ./modules/firefox-sync.nix
     
     # home assistant
     ./modules/home-assistant

hosts/fw.cloonar.com/modules/dhcp4.nix

@@ -77,6 +77,11 @@
               ip-address = "10.42.97.2";
               server-hostname = "omada.cloonar.com";
             }
+            {
+              hw-address = "02:00:00:00:00:03";
+              ip-address = "10.42.97.5";
+              server-hostname = "web-02.cloonar.com";
+            }
             {
               hw-address = "ea:db:d4:c1:18:ba";
               ip-address = "10.42.97.50";

hosts/fw.cloonar.com/modules/firefox-sync.nix

@@ -0,0 +1,83 @@
+{ config, pkgs, ... }:
+let
+  domain = "sync.cloonar.com";
+in {
+  sops.secrets.firefox-sync = { };
+
+  security.acme.certs."${domain}" = {
+    group = "nginx";
+  };
+
+  containers."firefox-sync" = {
+    autoStart = true;
+    ephemeral = false; # because of ssh key
+    privateNetwork = true;
+    hostBridge = "server";
+    hostAddress = "10.42.97.1";
+    localAddress = "10.42.97.51/24";
+    bindMounts = {
+      "/run/secrets/firefox-sync" = {
+        hostPath = "/run/secrets/firefox-sync";
+        isReadOnly = true;
+      };
+      "/var/lib/acme/${domain}/" = {
+        hostPath = "${config.security.acme.certs.${domain}.directory}";
+        isReadOnly = true;
+      };
+    };
+    config = { lib, config, pkgs, ... }: {
+      networking = {
+        hostName = "firefox-sync";
+        useHostResolvConf = false;
+        defaultGateway = {
+          address = "10.42.97.1";
+          interface = "eth0";
+        };
+        firewall.enable = false;
+        nameservers = [ "10.42.97.1" ];
+      };
+
+      services.nginx.enable = true;
+      services.nginx.virtualHosts."${domain}" = {
+        sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
+        sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
+        sslTrustedCertificate = "/var/lib/acme/${domain}/chain.pem";
+        listen = [
+          {
+            addr = "0.0.0.0";
+            ssl = true;
+            port = 5000;
+          }
+        ];
+        locations."/" = {
+          proxyPass = "http://localhost:5001/";
+          recommendedProxySettings = true;
+        };
+      };
+
+      services.mysql.package = pkgs.mariadb;
+      services.firefox-syncserver = {
+        enable = true;
+        singleNode = {
+          enable = true;
+          enableNginx = false;
+          hostname = domain;
+        };
+        settings = {
+          port = 5001;
+          tokenserver.enable = true;
+        };
+        secrets = "/run/secrets/firefox-sync";
+        logLevel = "trace";
+      };
+
+      services.openssh.enable = true;
+      users.users.root.openssh.authorizedKeys.keys = [
+        "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
+        "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
+      ];
+
+      system.stateVersion = "23.05";
+    };
+  };
+}

hosts/fw.cloonar.com/modules/firewall.nix

@@ -21,6 +21,7 @@
             chain input {
               type filter hook input priority filter; policy drop;
               iifname "lo" accept comment "trusted interfaces"
+              iifname "lan" counter accept comment "Spice"
               ct state vmap { invalid : drop, established : accept, related : accept, new : jump input-allow, untracked : jump input-allow }
               tcp flags syn / fin,syn,rst,ack log prefix "refused connection: " level info
             }
@@ -29,7 +30,8 @@
               udp dport != { 53, 5353 } ct state new limit rate over 1/second burst 10 packets drop comment "rate limit for new connections"
               iifname lo accept
               iifname "wan" udp dport 51820 counter accept comment "Wireguard traffic"
-              iifname { "server", "vserver", "lan", "wg_cloonar" } counter accept comment "allow trusted to router"
+              iifname "lan" tcp dport 5931 counter accept comment "Spice"
+              iifname { "server", "vserver", "vm-*", "lan", "wg_cloonar" } counter accept comment "allow trusted to router"
               iifname { "multimedia", "smart", "infrastructure", "podman0" } udp dport { 53, 5353 } counter accept comment "DNS"
               iifname { "wan", "multimedia" } icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
 
@@ -82,11 +84,12 @@
               iifname "smart" oifname "server" ip daddr 10.42.97.20/32 tcp dport { 1883 } counter accept
 
               # Forward to git server
-              oifname "server" ip daddr 10.42.97.50 tcp dport { 22, 80, 443 } counter accept 
+              oifname "server" ip daddr 10.42.97.50 tcp dport { 22 } counter accept 
+              oifname "server" ip daddr 10.42.97.5 tcp dport { 80, 443 } counter accept 
 
               # lan and vpn to any
               # TODO: disable wan when finished
-              iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar" } counter accept
+              iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "vm-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar" } counter accept
               iifname { "lan", "server", "wg_cloonar" } oifname { "wrwks", "wg_epicenter", "wg_ghetto_at" } counter accept
               iifname { "infrastructure" } oifname { "server", "vserver" } log prefix "Infrastructure connection: " accept
               iifname { "lan", "wan" } udp dport { 8211, 27015 } counter accept comment "palworld"
@@ -97,6 +100,9 @@
               oifname "server" ip daddr 10.42.97.201 tcp dport { 27020 } counter accept comment "ark survival evolved"
               oifname "server" ip daddr 10.42.97.201 udp dport { 7777, 7778, 27015 } counter accept comment "ark survival evolved"
 
+              # firefox-sync
+              oifname "server" ip daddr 10.42.97.51 tcp dport { 5000 } counter accept comment "firefox-sync"
+
               # allow all established, related
               ct state { established, related } accept comment "Allow established traffic"
 
@@ -112,6 +118,7 @@
                 "podman*",
                 "guest",
                 "vb-*",
+                "vm-*",
               } oifname {
                 "wan",
               } counter accept comment "Allow trusted LAN to WAN"
@@ -125,7 +132,9 @@
           content = ''
             chain prerouting {
               type nat hook prerouting priority filter; policy accept;
-              iifname "wan" tcp dport { 22, 80, 443 } dnat to 10.42.97.50
+              iifname "wan" tcp dport { 22 } dnat to 10.42.97.50
+              iifname "wan" tcp dport { 80, 443 } dnat to 10.42.97.5
+              iifname "wan" tcp dport { 5000 } dnat to 10.42.97.51
               iifname { "wan", "lan" } udp dport { 7777, 7778, 27015 } dnat to 10.42.97.201
               iifname { "wan", "lan" } tcp dport { 27020 } dnat to 10.42.97.201
             }
@@ -135,6 +144,7 @@
               type nat hook postrouting priority filter; policy accept;
               oifname { "wan", "wg_cloonar", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade
               iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.50 masquerade
+              iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.51 masquerade
               iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.201 masquerade
             }
           '';

hosts/fw.cloonar.com/modules/gitea-vm.nix

@@ -0,0 +1,169 @@
+{ nixpkgs, pkgs, ... }: let
+  hostname = "git-02";
+  json = pkgs.formats.json { };
+in {
+  microvm.vms = {
+    gitea = {
+      config = {
+        microvm = {
+          hypervisor = "cloud-hypervisor";
+          shares = [
+            {
+              source = "/nix/store";
+              mountPoint = "/nix/.ro-store";
+              tag = "ro-store";
+              proto = "virtiofs";
+            }
+            {
+              source = "/var/lib/acme/git.cloonar.com";
+              mountPoint = "/var/lib/acme/${hostname}.cloonar.com";
+              tag = "ro-cert";
+              proto = "virtiofs";
+            }
+          ];
+          interfaces = [
+            {
+              type = "tap";
+              id = "vm-${hostname}";
+              mac = "02:00:00:00:00:01";
+            }
+          ];
+        };
+
+        imports = [
+          ../fleet.nix
+        ];
+
+        environment.systemPackages = with pkgs; [
+          vim                 # my preferred editor
+        ];
+
+        networking = {
+          hostName = hostname;
+          firewall = {
+            enable = true;
+            allowedTCPPorts = [ 22 80 443 ];
+          };
+        };
+
+        services.nginx.enable = true;
+        services.nginx.virtualHosts."${hostname}.cloonar.com" = {
+          sslCertificate = "/var/lib/acme/${hostname}.cloonar.com/fullchain.pem";
+          sslCertificateKey = "/var/lib/acme/${hostname}.cloonar.com/key.pem";
+          sslTrustedCertificate = "/var/lib/acme/${hostname}.cloonar.com/chain.pem";
+          forceSSL = true;
+          locations."/" = {
+            proxyPass = "http://localhost:3001/";
+          };
+        };
+
+        services.gitea = {
+          enable = true;
+          appName = "Cloonar Gitea server"; # Give the site a name
+          settings = {
+            server = {
+              ROOT_URL = "https://${hostname}.cloonar.com/";
+              HTTP_PORT = 3001;
+              DOMAIN = "${hostname}.cloonar.com";
+            };
+            openid = {
+              ENABLE_OPENID_SIGNIN = true;
+              ENABLE_OPENID_SIGNUP = true;
+              WHITELISTED_URIS     = "auth.cloonar.com";
+            };
+            service = {
+              DISABLE_REGISTRATION                          = true;
+              ALLOW_ONLY_EXTERNAL_REGISTRATION              = true;
+              SHOW_REGISTRATION_BUTTON                      = false;
+            };
+            actions.ENABLED=true;
+          };
+        };
+
+        services.openssh.enable = true;
+        users.users.root.openssh.authorizedKeys.keys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
+        ];
+
+        system.stateVersion = "22.05";
+      };
+    };
+
+    gitea-runner = {
+      config = {
+        microvm = {
+          mem = 12288;
+          shares = [
+            {
+              source = "/nix/store";
+              mountPoint = "/nix/.ro-store";
+              tag = "ro-store";
+              proto = "virtiofs";
+            }
+            {
+              source = "/run/secrets";
+              mountPoint = "/run/secrets";
+              tag = "ro-token";
+              proto = "virtiofs";
+            }
+          ];
+          volumes = [
+            {
+              image = "rootfs.img";
+              mountPoint = "/";
+              size = 102400;
+            }
+          ];
+          interfaces = [
+            {
+              type = "tap";
+              id = "vm-gitea-runner";
+              mac = "02:00:00:00:00:02";
+            }
+          ];
+        };
+
+        environment.systemPackages = with pkgs; [
+          vim                 # my preferred editor
+        ];
+
+        networking.hostName = "gitea-runner";
+
+        virtualisation.podman.enable = true;
+
+        services.gitea-actions-runner.instances.vm = {
+          enable = true;
+          url = "https://git.cloonar.com";
+          name = "vm";
+          tokenFile = "/run/secrets/gitea-runner-token";
+          labels = [
+            "ubuntu-latest:docker://shivammathur/node:latest"
+          ];
+          settings = {
+            container = {
+              network = "podman";
+            };
+          };
+        };
+
+        services.openssh.enable = true;
+        users.users.root.openssh.authorizedKeys.keys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
+        ];
+
+        system.stateVersion = "22.05";
+      };
+    };
+  };
+
+  sops.secrets.gitea-runner-token = {};
+
+  environment = {
+    systemPackages = [ 
+      pkgs.qemu
+      pkgs.quickemu
+    ];
+  };
+}

hosts/fw.cloonar.com/modules/gitea.nix

@@ -106,21 +106,5 @@ in
     };
   };
 
-
-  sops.secrets.gitea-runner-token = { };
-
-  services.gitea-actions-runner.instances.main = {
-    enable = true;
-    url = "https://git.cloonar.com";
-    name = "main";
-    tokenFile = "/run/secrets/gitea-runner-token";
-    labels = [
-      "ubuntu-latest:docker://shivammathur/node:latest"
-    ];
-    settings = {
-      container = {
-        network = "server";
-      };
-    };
-  };
+  sops.secrets.gitea-runner = {};
 }

hosts/fw.cloonar.com/modules/home-assistant/multimedia.nix

@@ -6,6 +6,19 @@
     "samsungtv"
   ];
   services.home-assistant.config = {
+    ios = {
+      actions = [
+        {
+          name = "Home Cinema";
+          label.text = "Home Cinema";
+          icon = {
+            icon = "theater";
+            color = "#ffffff";
+          };
+          show_in_watch = true;
+        }
+      ];
+    };
     binary_sensor = [
       {
         name = "xbox";
@@ -290,13 +303,23 @@
       ];
     };
     "automation multimedia scene switch" = {
-      trigger = {
-        platform = "event";
-        event_type = "button_pressed";
-        event_data = {
-          id = [ 254 235 105 198 ];
-        };
-      };
+      alias = "multimedia scene switch";
+      trigger = [
+        {
+          platform = "event";
+          event_type = "button_pressed";
+          event_data = {
+            id = [ 254 235 105 198 ];
+          };
+        }
+        {
+          platform = "event";
+          event_type = "ios.action_fired";
+          event_data = {
+            actionName = "Home Cinema";
+          };
+        }
+      ];
       condition = {
         condition = "state";
         entity_id = "binary_sensor.multimedia_device_on";
@@ -308,9 +331,19 @@
             {
               conditions = [
                 {
-                  condition = "state";
-                  entity_id = "media_player.android_tv_metz_cloonar_multimedia";
-                  state = "on";
+                  condition = "or";
+                  conditions = [
+                    {
+                      condition = "state";
+                      entity_id = "media_player.android_tv_metz_cloonar_multimedia";
+                      state = "on";
+                    }
+                    {
+                      condition = "state";
+                      entity_id = "media_player.android_tv_metz_cloonar_multimedia";
+                      state = "idle";
+                    }
+                  ];
                 }
               ];
               sequence = [
@@ -338,7 +371,7 @@
                     num_repeats = 1;
                     delay_secs = 0.4;
                     hold_secs = 0;
-                    command = "b64:sgAQAhgMGAwZCwcdGQsHHQcdBx0ZCwcdGQsHHQcdGQsZCwcdGQwGHgYeGAwYDAYeBx0GHgcAARgZCxkMGAwGHhkLBh4HHQYeGQsHHRkLBx0GHhkLGQsHHhgMBh4GHhgMGAwGHgcdBh4GAAEZGQwYDBgMBx0YDAYeBx0GHhgMBx0ZCwcdBx0ZCxkMBh4YDAYeBh4YDBgMBh4GHgcdBgABGhgMGAwYDAYeGQsHHQYeBh4YDAYeGAwHHQcdGQwYDAYeGAwGHgYeGAwYDAYeBh4HHQcAARkYDBgMGAwGHhkLBx0HHQcdGQsHHRkMBh0HHRkMGAwGHhgMBh4HHRkLGAwHHQcdBx0HAAEZGAwZCxkLBx0ZDAYdBx0HHRkMBh0ZDAYeBh4YDBgMBh4ZCwcdBx0ZCxkMBh0HHQcdBwABGRkLGQwYDAYeGAwGHgYeBh0ZDAYeGAwHHQcdGQsZDAYdGQwGHQcdGQsZDAYdBx4GHgYAARkZDBgNFwwHHRkMBh0HHQcdGQsHHRkNBR8FHhgMGAwGHRkMBh4GHhkLGA0FHwYdBx4GAAEaGAsZDBgMBh8XDAYeBh4GHhg1EwwGHgcdGAwZDAYeGAwGHgYeGAsZDAYeBh4GHQcAARkZCxkMGAwGHhgMBh4GHgYeGQsHHRgMBx0HHRkLGQwGHhgMBh4GHhkLGQsHHQcdBx0HAAEZGQsYDRgPBAAF3AAAAAAAAAAA";
+                    command = "b64:sQs0AB0JCxsLGx0IHQgLGh0ICxoLGx0JCxodCQobCxoLAAEXHQgdCR0JCxodCQsbCxsLGx0JCxoAAAAA";
                   };
                 }
                 {
@@ -381,7 +414,7 @@
                     num_repeats = 1;
                     delay_secs = 0.4;
                     hold_secs = 0;
-                    command = "b64:sQs0AB0JCxsLGx0IHQgLGh0ICxoLGx0JCxodCQobCxoLAAEXHQgdCR0JCxodCQsbCxsLGx0JCxoAAAAA";
+                    command = "b64:sgBqAgkaBBoJCRsJHBoKGgoJGgQaCQkaBAgbGwoIHAgcGwkJGwgAARkbCRsJGwkJGgQaCgkaBAgbCRsbCQkbGwkJGgQIGxwJGwkJGxsJCRwIHBoKCBsECBsbCAQIGwkAARgbChoKGgoJGxsJCRoECBsJHBsJCRoEGgkJGwkcGgobCQkbGwkJGwkbGwoIHAkbGwkJGwkAARgbCRsJGwoIGxwJCRsJGwkbGwoIGxwIChoKGhwJGwkJHBsJCRsJGxsJCRsJHBsJCRsJAAEYGwkbCRsKCBscCQkbCRsJGxsJCRwbCQkbCRsbCRsJCRscCQgcCRocCQkbCRsbCQobCQABGBsJGwkbCQkbHAkJGwkbCRsbCQkbGwoJGwkbGwkbCQkbGwoIHAkbGwkJGgobGwkKGwkAARccCRsJGwkJHBsJCRsJGwkbGwkJGxsKCRsIHBsJGwkJGxsKCRoJGxwJCRsJGxsJChsIAAEZGwgcCRsJCRscCQkbCRsJGhwJCRscCQkaChsbCRsJCRscCQgcCRocCQkbCRsbCggcCQABGBsJGwkbCggcGwkJGwkbCRsbCggcGgoJGwkbGwkbCggcGwkJGwkbGwkJHAgcGwkJGwkAARgbChoKGgoJGhwJCRsJGwkcGgoJGxsJCRsJGxsJHAkJGxsJCRsJGhwJCRwJGhwJCRsJAAEYGwoaChsJCRsbCQkaChsJGxwJCRsbCQkbCRsbChsJCRsbCQkbCRsbCgkbCRsbCQkcCAABFwQaChsJGwkJGxsKCBwIHAgcGwkJGxsKCBwIGwQaCRsJCRwaCggcCBwbCQkbCRwaCggcCAAF3AAAAAAAAAAAAAAAAAAA";
                   };
                 }
                 {

hosts/fw.cloonar.com/modules/microvm.nix

@@ -0,0 +1,8 @@
+{ nixpkgs, ...}:
+{
+  imports = [ (builtins.fetchGit {
+    url = "https://github.com/astro/microvm.nix";
+  } + "/nixos-modules/host") ];
+
+  systemd.network.networks."31-server".matchConfig.Name = [ "vm-*" ];
+}

hosts/fw.cloonar.com/modules/networking.nix

@@ -7,6 +7,7 @@
   };
 
   systemd.network = {
+    enable = true;
     wait-online.anyInterface = true;
     links = {
       "10-wan" = {
@@ -18,6 +19,19 @@
         linkConfig.Name = "lan";
       };
     };
+    netdevs = {
+      "30-server".netdevConfig = {
+        Kind = "bridge";
+        Name = "server";
+      };
+    };
+    networks = {
+      "31-server" = {
+        matchConfig.Name = [ "vserver" ];
+        # Attach to the bridge that was configured above
+        networkConfig.Bridge = "server";
+      };
+    };
   };
 
   networking = {
@@ -51,11 +65,11 @@
     #   interface = "vserver";
     #   mode = "bridge";
     # };
-    bridges = {
-      server = {
-        interfaces = [ "vserver" ];
-      };
-    };
+    # bridges = {
+    #   server = {
+    #     interfaces = [ "vserver" ];
+    #   };
+    # };
 
     interfaces = {
       # Don't request DHCP on the physical interfaces

hosts/fw.cloonar.com/modules/podman.nix

@@ -19,15 +19,15 @@ let
 in {
   users.groups.podman.gid = cids.gids.podman;
   virtualisation = {
-    containers.containersConf.settings = {
-      containers.dns_servers = [ "10.42.97.1" ];
-    };
+    # containers.containersConf.settings = {
+    #   containers.dns_servers = [ "10.42.97.1" ];
+    # };
     podman = {
       enable = true;
       dockerCompat = true;
-      defaultNetwork.settings = {
-        dns_enabled = true; # Enable DNS resolution in the podman network.
-      };
+      # defaultNetwork.settings = {
+      #   dns_enabled = true; # Enable DNS resolution in the podman network.
+      # };
     };
   };
 

hosts/fw.cloonar.com/modules/postgresql.nix

@@ -0,0 +1,20 @@
+{ config, pkgs, ... }:
+
+{
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ "mydatabase" ];
+   
+    identMap = ''
+      # ArbitraryMapName systemUser DBUser
+         superuser_map      root      postgres
+         superuser_map      postgres  postgres
+         # Let other names login as themselves
+         superuser_map      /^(.*)$   \1
+    '';
+    authentication = pkgs.lib.mkOverride 10 ''
+      #type database  DBuser  auth-method optional_ident_map
+      local sameuser  all     peer        map=superuser_map
+    '';
+  };
+};

hosts/fw.cloonar.com/modules/unbound.nix

@@ -2,9 +2,30 @@
 let
   cids = import ../modules/staticids.nix;
   domain = "ns.cloonar.com";
+
+  adblockLocalZones = pkgs.stdenv.mkDerivation {
+    name = "unbound-zones-adblock";
+
+    src = (pkgs.fetchFromGitHub {
+      owner = "StevenBlack";
+      repo = "hosts";
+      rev = "3.0.0";
+      sha256 = "01g6pc9s1ah2w1cbf6bvi424762hkbpbgja9585a0w99cq0n6bxv";
+    } + "/hosts");
+
+    phases = [ "installPhase" ];
+
+    installPhase = ''
+      ${pkgs.gawk}/bin/awk '{sub(/\r$/,"")} {sub(/^127\.0\.0\.1/,"0.0.0.0")} BEGIN { OFS = "" } NF == 2 && $1 == "0.0.0.0" { print "local-zone: \"", $2, "\" static"}' $src | tr '[:upper:]' '[:lower:]' | sort -u >  $out
+    '';
+
+  };
   cfg = {
     remote-control.control-enable = true;
     server = {
+      include = [
+        "\"${adblockLocalZones}\""
+      ];
       interface = [ "0.0.0.0" "::0" ];
       interface-automatic = "yes";
       access-control = [
@@ -32,7 +53,10 @@ let
         "\"deconz.cloonar.com IN A 10.42.97.22\""
         "\"snapcast.cloonar.com IN A 10.42.97.21\""
         "\"home-assistant.cloonar.com IN A 10.42.97.20\""
+        "\"web-02.cloonar.com IN A 10.42.97.5\""
+        "\"support.cloonar.com IN A 10.42.97.5\""
         "\"git.cloonar.com IN A 10.42.97.50\""
+        "\"sync.cloonar.com IN A 10.42.97.51\""
 
         "\"stage.wsw.at IN A 10.254.235.22\""
         "\"prod.wsw.at IN A 10.254.217.23\""
@@ -71,6 +95,8 @@ let
         "\"upgrade-staging.wienwohntbesser.at IN A 10.254.240.110\""
         "\"conf.wrwks.at IN A 10.254.240.105\""
 
+        "\"web.hilgenberg-gmbh.de IN A 91.107.197.169\""
+
         "\"deconz.cloonar.multimedia IN A 10.42.97.22\""
         "\"metz.cloonar.multimedia IN A 10.42.99.10\""
         # "\"ps5.cloonar.multimedia IN A 10.42.99.12\""
@@ -216,6 +242,7 @@ in {
     group = "unbound";
   };
 
+  services.resolved.enable = false;
 
   services.unbound = {
     enable = true;

hosts/fw.cloonar.com/modules/web/default.nix

@@ -0,0 +1,113 @@
+{ lib, nixpkgs, pkgs, ... }: let
+  hostname = "web-02";
+  json = pkgs.formats.json { };
+  impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz";
+in {
+  microvm.vms = {
+    web = {
+      config = {
+        microvm = {
+          mem = 4096;
+          # hypervisor = "cloud-hypervisor";
+          shares = [
+            {
+              source = "/nix/store";
+              mountPoint = "/nix/.ro-store";
+              tag = "ro-store";
+              proto = "virtiofs";
+            }
+            {
+              source = "/var/lib/microvms/persist/web-02";
+              mountPoint = "/persist";
+              tag = "persist";
+              proto = "virtiofs";
+            }
+          ];
+          volumes = [
+            {
+              image = "rootfs.img";
+              mountPoint = "/";
+              size = 102400;
+            }
+          ];
+          interfaces = [
+            {
+              type = "tap";
+              id = "vm-${hostname}";
+              mac = "02:00:00:00:00:03";
+            }
+          ];
+        };
+
+        imports = [
+          "${impermanence}/nixos.nix"
+          ../../utils/modules/sops.nix
+          ../../utils/modules/lego/lego.nix
+          # ../../utils/modules/borgbackup.nix
+
+          ./zammad.nix
+          ./proxies.nix
+        ];
+
+        time.timeZone = "Europe/Vienna";
+
+        systemd.network.networks."10-lan" = {
+          matchConfig.PermanentMACAddress = "02:00:00:00:00:03";
+          address = [ "10.42.97.5/24" ];
+          gateway = [ "10.42.97.1" ];
+          dns = [ "10.42.97.1" ];
+        };
+
+        fileSystems."/persist".neededForBoot = lib.mkForce true;
+        environment.persistence."/persist-local" = {
+          directories = [
+            "/var/lib/zammad"
+            "/var/lib/postgresql"
+            "/var/log"
+            "/var/lib/systemd/coredump"
+          ];
+        };
+
+        environment.systemPackages = with pkgs; [
+          vim                 # my preferred editor
+        ];
+
+        networking.hostName = hostname;
+
+        services.openssh = {
+          enable = true;
+          hostKeys = [
+             {
+               path = "/persist/etc/ssh/ssh_host_ed25519_key";
+               type = "ed25519";
+             }
+             {
+               path = "/persist/etc/ssh/ssh_host_rsa_key";
+               type = "rsa";
+               bits = 4096;
+             }
+           ];
+        };
+        users.users.root.openssh.authorizedKeys.keys = [
+          "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
+          "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
+        ];
+
+        # backups
+        # borgbackup.repo = "u149513-sub2@u149513-sub2.your-backup.de:borg";
+
+
+        sops.age.sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ];
+        sops.defaultSopsFile = ./secrets.yaml;
+
+        networking.firewall = {
+          enable = true;
+          allowedTCPPorts = [ 22 80 443 ];
+        };
+
+
+        system.stateVersion = "22.05";
+      };
+    };
+  };
+}

hosts/fw.cloonar.com/modules/web/proxies.nix

@@ -0,0 +1,10 @@
+{ ... }: {
+  services.nginx.virtualHosts."git.cloonar.com" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    locations."/" = {
+      proxyPass = "https://git.cloonar.com/";
+    };
+  };
+}

hosts/fw.cloonar.com/modules/web/secrets.yaml

@@ -0,0 +1,32 @@
+borg-passphrase: ENC[AES256_GCM,data:2WjoqMRmXvW9EGMmpMYhrC0Qt0Dk7QWlbEncZPdK2SxVljEoFibjVEr6jeYdAx6UkaXdjk9pD3PBbls2tWt0TiNQdh8=,iv:bHzASNjqqfPsQ/1w/oM7x0FubAzzRkn+iWrZlenU9rs=,tag:ektqi0rqEywg9YGybPQesw==,type:str]
+borg-ssh-key: ENC[AES256_GCM,data:b/xZnUTfi85IG1s897CBF1HD7BTswQUatbotyZfLmbhxXxEyffUeaiGsT9Gh9yQqOKTstTihA48nVk/4ekAPD/ZGDQ189V1BwKkQ5chN9TSULofekfmemhUhVGjnx8OFl6hYYpTttQSTLHtczmfE2iX1JyrZy2Z+H+w6dbZjkYDayRUt/4+5wCtQJ1Nt7bjzwLWhjdVtwDeBLm/kCywVguZLCgyiuqmXMr1h9jpUS7URZegGz1lFs34Ismu1LtaRjFGRyd8aKaTU6PSxDbjE4dQ3Lh1Hm3nhtOrSkswBZLp8OTP6emrQ7c3oJp1zqO5zQHXxD2V5hkPw6ln0Ee1aQp1rvLD8shRXzRbHG+mySvjKLJvLypnNuYfQklqlnhbG+M1/NN13oVF13nHpKwP5q33sRr49mfHw8YHdRhHuhYHVrpy8ep0AmPXiDYCDM4cnlOMnzlH/toF0fq0YRny6QoqKNpaYhmA61MXRPTZCqoAcE1N+oo7HymjJetzL9b2FkPCoDOx989IJ8SUaBJpzR+agNsFi87htVllRp4ozms/m56dI0AdwqeAre00iMBzpVS0hXURE7fqvAnLHQD1goW9XB2mztqcJ09YafrOgTA3oyazWcAjxgV33GupxxIDmwRdLmavvr4qrHfddYctYLPI7VolqT9JmKN6iVG9vYsDutgoyRlhzbGASKPLgcYn9sGG+LBgTHfZyABnYOaUetVP72mhSN30ZZixcCskVlGg5C53wrW5o6mBv+PyG8PimxLmQylbvHUdGGVLQfMpJaaXgpUjBX1MWdQAVa+Nyjm7QwYdRKoCb3suQ6bOq5O9eotel3GPB8gpKzInhNA/0xiB4UyCGp1i21iRS9+Rc7yufo5s3t56k0643K2DhBUVgssiTsG15BbQdX4c1O28i9zwEZ+wVci1yvLX38M0a3tDDt9iW1BIOWehShS7dpyJR2/OgWLFagw9hYP5h24t5k6Gz2ODhPouaFccYDRUBR6UECxA+gDS+trN8iNSX1oWa0ys0XvgwWpJ2CrdSArNqe1BdhM47BQwudiA3RwaEN3wRh5PeykSk/3BUXK+ZdAr0BZ8ij2q4F8zQexLxnrV6xRqofNcVs62iJAjx6g86InSv0nNjLQ9U/fBTL66u1iRZFJhuxPjDNfLJZqT0TvRR7KBcNWTwTuMCGNp5s9TngMUF4uhHx8qGxtjfH58WjixOhC9lgUt7cYEFIeefcwIO9VVnKoiXK5sPIvIsjtLRzGvejYSd0ZwSF3Ly9FkWLkr+o5rs5bXtGMsSQ+BUFg5nM1BqrHIGv9M+F4kPxhnqm9/JXuMSQ+JUzix5N0vHuSTphCayDpMHJYRUEkDEmwPXMyB9zWVmvMb0ByUnfs/n/jmL4WRuggYqchIR3/xuco5HUqLbEKXiJ39wVgy+i3/biWOOEu5BmMx3qbgQ1+6nlxY+f1qpXZ8br0RlXLOQ6L/O9Qa9gKZaxLm/5GCiFZ+SeU/c5OgUndYqTk6FsbDlNurA69IqjwubG345lpdB9VPoGP7dLsx3VaGKW0bvr06oRaeasMx90SN5bGQJH+0iQFkGPhp0m2v31zpBk1IibXi5Qb1OWGXGYd+iNt1ZQF0HVuEqQEXI62x92QkaR7eHowR4tCRF1xH1ZrBkyjtdofUU2wPqsRrOWqGIZWUh/JpfXkSAZQo9yJKnHcp9d3BPEvWpLWS9g1Jfej5XG497aP6crWw5XawOyzi+PEgz2Y3Q0R/MM3S1W2R7Z+21nekbCfghpNylwIX4UYkeX8YorheiumkUfFXjktPSkFCTuUrYAA89WZjIIqd4/gt3tS7keCsjEiTkW2KdDPlzNItKnC8xWnpRc+Wh6ghA/nt3j4POb880j3scFoDjgOv5lNk2Q84S/IW+DQ3U8o4JrKiXsxchDvmgGbU4FbXZTGLXeM1CybmbZKogIHdwJkhC425oqA1PMiq5tDPLKpl2214JuaV4Xd8R0bwCSHYjQp9gqJT9j1Wg/3P0M3/VGZGoJEVriiBl6PBHP2CcvxK1NADDmMHgGQwwfROoSijAzzPKCy9sgzsquTkqzq8q4aChjGKShxs+52dpnmmuygSlxjyVQCEW9kLERf1Nm1arsLkHJ4ZsWgSrskGvjsPEvyEnpY33gGB7fpy90NW0GtELgGzEw/1nfLcFbRBJ7gH+4Dby2fBTxoV2ks9m0Fv6OWsfIe6H54zWLmqB1RkQaskb1wDKU3HATOmuYo/fByLIsMyR5l3P7LXWF5CJOprzp41rGts/ybJEG1EUtmVCs2epTwbeG/Waq1DB3TFa639ETjxOfGQ65PXp5aT1d5v+ko87LiR+0us6xwlfZ6NMRRZuPt4wycFgPUAAmpdmguwDKifHKA258g9kzotT25JeFFEMVhsMi1PoXEqA+sFomdsLt+Vtpr2aGMUWyHD/E2fgAtybLwxbjqDINi8vXWJxv/UZdH8wBOlWLtaeGg5/jRsMuL/hSSZ84Q2zfRVvV7/BZ7wnxfoXmAwRdTZijAvc9TxWszP6E5mAix7s/znU+1vnseJdxWa4Ff1wOGVL/Tem2K0J/mp75XuzSP7nCYDMgqhnvfzlD8vv6QpxtDUAbdTBDyPkQ4U9L6+y5ul5Aegpui+p0G9/0UHdBYhJiFd90omnhSmyHx2pvgUTfbL/Kv/pk7nwTv89a87NXNA9K6AATwx0kUPgIWs/5FGi8leCXGSsgBbJogL1htC72pKzVH6ckEzKeBzRADmwFLhnPIvp37ZkQPj0rrWRhkd5RqsFcN0166N+M4lPD0hzPd2+nEXDAOHoCK7U+BcRcJ3GUlyPU91dbWfo9otPd3naTvGVZuFDxOihLtBXaLTsxmS4STk6DVRjwNmX8YC9FwXkED19xEeH6KkaFs1nVXnmDqpvi2BcueT96t6TOeu5HcA9fAgFTpOKVT6cK2PcHTtJhjrPkfSYr0/ksJdV7r9N4JgAEfiASMMHS5uQWJlyJKWo92rJ2IvSCQx4lcK3gasgcTsVaYmuRORM+6263r4NKS8W8r55XvVyW/C7vvsVq6wF3xUkQadBkxIUQUVWxxCc1pWOlfWwMs0i+ZssoaWopbs7x45z86i+3HsHmfS6GuXUpQfgvXe9Bn7mOj7VQWaG9NIFUpIxisGfdY9L8+RXobo7etD3da7TNMs40BT+34tijcX53FzKwvG3ESNPB2hjOAITDta6LDOHhJrlVqn90p1DicThHOaT3fxt6ST287EhWqK9S1gpkLrp0gNSA9v+K9mBvWaWYNDXY7sGxOIMzCEIdFT18Pra92NhGTJtC0XizHDMUfGx5WAaard1Iy/PYXvavoAwp30qDCQGF+PgwSProa+JtQQPzoEgtSXNVhUWIzz10TACuo+vHt8sHvFG3VuU7jSOr9sqVrN36KMDUlwo0gavHKsjRxHf2OGh552q7AP+sM6Y5WhA4KhmQSUKCVxYVQ==,iv:U3+fjacm8+gZAjPQNz2mjFYTUbLyltTaPiSKb3lvCmk=,tag:ZR6zI1UijDayIvH3v35Hqg==,type:str]
+zammad-key-base: ENC[AES256_GCM,data:HO9MuwcwjryuXr5No8sCPfso5bpLtQCoczrC/R214ecVIFwwH1uhMeNO8Tlh6EjRLPo7aVTSz87Vx5yaNVezvHCs55G6TT9mcNS/v/V7sbFz9dNIgbFblY3gFIAa4cViioYc71wdb7d4Tta7qhse5zQ41KhAqCWuGDgFErQA4Oc=,iv:b1wY8fW0psircSlNXwDjPzNWK8NyAMNqegitNcqV6U4=,tag:oQ7nyO9TKOOu6IF7ODzpPA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoUWdTYlRjWDJvemF5Q2sr
+            VCtrS2dTTGRwUlNIWHd0WkVCRkRMcGhuTzE0ClNic1FmQ05UNWQwbGc4TUFMNGlI
+            K0RhK2pqUGY3UElmK1pNUEkxV2xGUTQKLS0tIFRORE9JTDRZK0MwZUJoc2xlcHFH
+            bmp3ZW14TVdCMHhkSi84NE5neDdrY3cKYfgu7aqvG6wQmEFhmzieXFGoQpyffPXj
+            jiHrAPjBBFy21wdYf0nQXNMzekqOMJwOj0oNA2b5omprPxjB9uns4Q==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1gjm4c3swt8u88e36gf2qlg3syxfc0ly94u64c42f2tsf24npw4csa6e4fw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUjQxWnBMQXo3QmF1STUw
+            bHh1NDhvQXZIQ2RiOUx5OU5Wc3BVSEJDUEZVCmVzeFk5SWpMbVV4VUdsRmhiaWwz
+            bTJDY1pJRXJvNUdCSXJqQ3Byd3lWN2sKLS0tIHRKdXRNc1BYcURBRVNlenk1OEl3
+            Q05BN0VnQ0haeHBobWhRV0EzL3dLSEkKWlALiX5mvG8y0WUc8yFWMbcpSRrSGoQx
+            SHaOlDCjYvViZ7GPRLqnSwDGZ1clC6JsTbwKXrMsWdZBKvSO/VIWQw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-08-16T11:12:23Z"
+    mac: ENC[AES256_GCM,data:nMLxD/WP3LxLTECQ/wQjiDW3F2Lx8yeMTkNIg97eipebVZwTLiVGg4t+sVzen+X3t4tPixO2a72mWMtIVQKs8d2MzkydLh+LjYItUBP+uw/rnCjB0zfxiPN883+FO6q4+BoT0JJc4LUHbgQQWEDnKaqld4/ICE1xJbPZVEJWo40=,iv:JenHaRqB8ZVDRV5rUOgMURflqQzfOrt9pHege2oiT7g=,tag:xv0p2oW1P0FPqcrRoQ/6tw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

hosts/fw.cloonar.com/modules/web/zammad.nix

@@ -0,0 +1,120 @@
+{ config, pkgs, ... }:
+
+{
+  services.zammad = {
+    enable = true;
+    port = 3010;
+    secretKeyBaseFile = config.sops.secrets.zammad-key-base.path;
+    database = {
+      createLocally = true;
+    };
+  };
+  
+  services.nginx.enable = true;
+  services.nginx.virtualHosts."support.cloonar.com" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+
+    extraConfig = ''
+      # Virtual endpoint created by nginx to forward auth requests.
+      location /authelia {
+        internal;
+        set $upstream_authelia https://auth.cloonar.com/api/verify;
+        proxy_pass_request_body off;
+        proxy_pass $upstream_authelia;    
+        proxy_set_header Content-Length "";
+
+        # Timeout if the real server is dead
+        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
+
+        # [REQUIRED] Needed by Authelia to check authorizations of the resource.
+        # Provide either X-Original-URL and X-Forwarded-Proto or
+        # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
+        # Those headers will be used by Authelia to deduce the target url of the     user.
+        # Basic Proxy Config
+        client_body_buffer_size 128k;
+        proxy_set_header Host $host;
+        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $remote_addr; 
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Host $http_host;
+        proxy_set_header X-Forwarded-Uri $request_uri;
+        proxy_set_header X-Forwarded-Ssl on;
+        proxy_redirect  http://  $scheme://;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+        proxy_cache_bypass $cookie_session;
+        proxy_no_cache $cookie_session;
+        proxy_buffers 4 32k;
+
+        # Advanced Proxy Config
+        send_timeout 5m;
+        proxy_read_timeout 240;
+        proxy_send_timeout 240;
+        proxy_connect_timeout 240;
+      }
+    '';
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:3010";
+      proxyWebsockets = true;
+      extraConfig =
+        "proxy_set_header X-Forwarded-Proto 'https';" +
+        "proxy_set_header X-Forwarded-Ssl on;" +
+        "proxy_connect_timeout  300;" +
+        "proxy_send_timeout     300;" +
+        "proxy_read_timeout     300;" +
+        "send_timeout           300;"
+      ;
+    };
+    locations."/auth/sso" = {
+      proxyPass = "http://127.0.0.1:3010";
+      proxyWebsockets = true;
+
+      extraConfig = ''
+        # Basic Authelia Config
+        # Send a subsequent request to Authelia to verify if the user is authenticated
+        # and has the right permissions to access the resource.
+        auth_request /authelia;
+        # Set the `target_url` variable based on the request. It will be used to build the portal
+        # URL with the correct redirection parameter.
+        auth_request_set $target_url $scheme://$http_host$request_uri;
+        # Set the X-Forwarded-User and X-Forwarded-Groups with the headers
+        # returned by Authelia for the backends which can consume them.
+        # This is not safe, as the backend must make sure that they come from the
+        # proxy. In the future, it's gonna be safe to just use OAuth.
+        auth_request_set $user $upstream_http_remote_user;
+        auth_request_set $groups $upstream_http_remote_groups;
+        auth_request_set $name $upstream_http_remote_name;
+        auth_request_set $email $upstream_http_remote_email;
+        proxy_set_header Remote-User $user;
+        proxy_set_header Remote-Groups $groups;
+        proxy_set_header Remote-Name $name;
+        proxy_set_header Remote-Email $email;
+        # If Authelia returns 401, then nginx redirects the user to the login portal.
+        # If it returns 200, then the request pass through to the backend.
+        # For other type of errors, nginx will handle them as usual.
+        error_page 401 =302 https://auth.cloonar.com/?rd=$target_url;
+      '';
+    };
+    locations."/ws" = {
+      proxyPass = "http://127.0.0.1:6042";
+      proxyWebsockets = true;
+      extraConfig =
+        "proxy_set_header X-Forwarded-Proto 'https';" +
+        "proxy_set_header X-Forwarded-Ssl on;" +
+        "proxy_read_timeout     86400;" +
+        "send_timeout           300;"
+      ;
+    };
+  };
+
+  sops.secrets = {
+    zammad-key-base.owner = "zammad";
+  };
+
+  services.postgresqlBackup.enable = true;
+  services.postgresqlBackup.databases = [ "zammad" ];
+}

hosts/fw.cloonar.com/secrets.yaml

@@ -6,12 +6,14 @@ wg_cloonar_key: ENC[AES256_GCM,data:Dtp6I5J0jU5LLVwEFU4DFCpUngPRmFMebGXnk2oSwsKt
 wg_epicenter_works_key: ENC[AES256_GCM,data:LeLjfwfaz+loWyHYRgIMIPzHzlOnhl9tluKcQFgdes6r+deft1JfnUzDuF0=,iv:DKrc3I+U2hWDH8nnc8ZQeaVtA1eVXu7SXdTn1fxHoH4=,tag:V0PL0GrL2NEPVslAZa801A==,type:str]
 wg_epicenter_works_psk: ENC[AES256_GCM,data:Den3NDWdP013Or6/2Vll1igUahuRSNW4hu+nDa5vkr93bbveQTaWFT4TD4U=,iv:r3UsD3+3lUIP2X3Grti7wpXTQBXtu1/MdrycEmpZfsI=,tag:ghbAcxmjGVOe9jCZsmFzjA==,type:str]
 wg_ghetto_at_key: ENC[AES256_GCM,data:OIHmoy3SpIi9aefZnZ1PzpyHbEso18ceoTULf2eQkx1rJbaxC6PD1lma7eQ=,iv:u0eFjHHOBzPTmBvBEQsYY5flcBayiAQKd6e7RyiPwJI=,tag:731C9wvv8bA5fuuQq+weVQ==,type:str]
+gitea-runner: ENC[AES256_GCM,data:IRx9QzbLJrkF/DYvpVf2012BiSBnHZJe10opkRO2kJuegdb0denW3mvmnU4isoj7jO/0QyN6HZHlHb5ihC7fFl4LavPDVjAAhZPynkpDw9IHFeqZDUSPzxQsq7FibKmfEpEmWEz+Npe8JI1kl694XYV/kqErKa3JrZS7Jm8zFcv7DSY/V5bdy4Is8ZSRtHiP/aVzFdsvjwtissCDnCl7zRZjXUcN0FssvPHBZHxLuc68EoagIw1aVSzkvSVBXer4rFdlefjskFelRnUr3pvm188=,iv:VnvPFDFGz/QyfQmZxQFB3J2ReqaHdRaypb2Vnq7Dthw=,tag:19rx0nlmXLj/6yPRAFGigA==,type:str]
 gitea-runner-token: ENC[AES256_GCM,data:Nd0vsnuJficsdZaqeBZXa9vD7PLMdDtV9sMX0TxUSEMNU7Reu3HLCWuvP0easPU=,iv:4mrfQc1tobg/QiExUuWST6iU9TdNwiS1BMmOnQqCFZU=,tag:85aRoD3IkRq3mcoPdLKaBQ==,type:str]
 drone: ENC[AES256_GCM,data:S8WTZqGHfcdpSojavZ87GdE5dagcTAdHBVQEbHHgnB4V7aczS6c5QdEJxK920Pjpf6o54OOQYniVsPiiXSxwjExDKPzhs/DG2hfigmf8RgfkP+3tF2W0KiPmV2jxog8w226ZKnI+hSBs8tuIfJBhrpY7Y/YNmTPfq+cnnLS8ibYqytcpzoogI9I8THzHCu3r+yejoGSyTMs9L4gPhOjz5aK4UV6V,iv:zqN/aSBI3xGGNDnpHPGyQnQP2YZOGUk6dAGtON/QlHU=,tag:o9YFDKAB5uR9lPmChyxB8g==,type:str]
 home-assistant-ldap: ENC[AES256_GCM,data:uZEPbSnkgQYSd8ev6FD8TRHWWr+vusadtMcvP7KKL2AZAV0h1hga5fODN6I5u0DNL9hq2pNM+FwU0E/svWLRww==,iv:IhmUgSu34NaAY+kUZehx40uymydUYYAyte1aGqQ33/8=,tag:BKFCJPr7Vz4EG78ry/ZD7g==,type:str]
 home-assistant-secrets.yaml: ENC[AES256_GCM,data:m7uOVo7hPk/RmqqRS6y7NKoMKsR9Bdi1ntatsZdDOAbJMjZmZL2FgPEHi/zF73zCfRfTOca3dwpulR3WXZ9Ic1sbUIggmusJMg4Gellw1CUhx7SbQN5nieAbPbB9GVxMuV4OakD1u7Swz8JggDT6IwojSnuD5omCRCyUH1wvKB+Re59q6EStderlm5MJNVFlVrbKVbLKLcw4yRgTh34BGnTTjcJmgSlQjO1ciu2B7YQmdl0Fw6d8AdbEzgB5TFG5ONc85UhJDE8Wlw==,iv:GCtpcVChN2UMWtfnWURozCfVj2YbRPqp/bH4Jjntybs=,tag:pcxP7gTBtXMNT5iyW5YXTw==,type:str]
 palworld: ENC[AES256_GCM,data:rdqChPt4gSJHS1D60+HJ+4m5mg35JbC+pOmevK21Y95QyAIeyBLVGhRYlOaUcqdZM2e4atyTTSf6z4nHsm539ddCbW7J2DCdF5PQkrAGDmmdTVq+jyJAT8gTrbXXCglT1wvFYY5dbf2NKA4ASJIA8bdVNuwRZU0CtFiishzLuc9m8ZcGCNwQ/+xkMZgkUAHYRlEJAZyMpXR6KkFftiR05JRAFczD4N7GXPPe+vyvgXg7QBGtf20Qd4SGBUw0zI/SNTRmifHUuc4Z6+Fe9JHgvTc3uFcTMVnty0fEuL+a29liaVdAFq8BnqJfc5CNV401ZSUeMbG41lCn1cegP/WChs9J6HXNrhWDgiXa6ln++NoKcfOHIfZVbYOCoOxFR6+YWeBU2+sHmdwI9j5XQf5Ly2hmg12j0Ds2Cn8k4PG5aQP+HT2bedqyxwSt6fi97A0Osnh4ig7+DzYAjSNLewbYLzVdK39VdvB9hqLto+yFS3gAaeYOHwPwtqa+COI85c55lHiyKHlSwPhBqYaaiDu00lQTUzq9R5vz6F/l+T3bUjuna5RryUu8yhnk5DyK834KycTOg4ETcZTqro6prfiEBxc+Utsc9JvEtZgwFv6fsVLOu7nHxuiYuvseZ4YA8LlYdwPJboMPO2XsuhwWtT1uz/rh2orH7/vsXvzA/kF8NFemWBEMVLYA8byC5ze8doiGDYp4T5AAf10nJB1ceQ==,iv:gs78fxhvo9KlTaR5nzs12/LdgPChSFPHD2k4VQp3ARo=,tag:lpWBOi9xh2cWkS+71KD/UQ==,type:str]
 ark: ENC[AES256_GCM,data:YYGyzoVIKI9Ac1zGOr0BEpd3fgBsvp1hSwAvfO07/EQdg8ufMWUkNvqNHDKN62ZK5A1NnY3JTA1p4gyZ4ryQeAOsbwqU1GSk2YKHFyPeEnpLz/Ml82KMsv7XPGXuKRXZ4v3UcLu0R8k1Q0gQsMWo4FjCs3FF5mVtJG/YWxxbCYHoBLJ/di5p0DgjuFgJBQknYBpuLzr+yIoeqEyN7XcGYAJO53trEJuOOxLILULifkqISHjZ66i5F1fHW0iUdRbmeWV4aOAeOrsQqXYv,iv:gJwV5ip84zHqpU0l0uESfWWOtcgihMvEEdLaeI+twcU=,tag:sy8udVQsKxV/jOqwhJmWAg==,type:str]
+firefox-sync: ENC[AES256_GCM,data:uAJAdyKAuXRuqCFl8742vIejU5RnAPpUxUFCC0s0QeXZR5oH2YOrDh+3vKUmckW4V1cIhSHoe+4+I4HuU5E73DDrJThfIzBEw+spo4HXwZf5KBtu3ujgX6/fSTlPWV7pEsDDsZ0y6ziKPADBDym8yEk0bU9nRedvTBUhVryo3aolzF/c+gJvdeDvKUYa8+8=,iv:yuvE4KG7z7Rp9ZNlLiJ2rh0keed3DuvrELzsfJu4+bs=,tag:HFo1A53Eva31NJ8fRE7TlA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -45,8 +47,8 @@ sops:
             ejhXSmVkVjlhRDF3d1JDQlBzd2N3WncK6taU4OsyYoZc5P/2fMrSidLo2tYcH6Yw
             tNJRIOqR2Iq1M4ey27jnTdw3NvYKyxjn60ZeW2xcn8CYrpf0X4gLQA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-04-30T23:51:24Z"
-    mac: ENC[AES256_GCM,data:joDgRM3f4Faimhx/kU3YZmcaouuWlkyr5AniEWGzAsWkipp5XjIJ10gQ7nnu7zhVfTnwJCNoamjdkoAMfeINY6LK/QCVXIxr4821nqlhLbQfKlZYlEei4ryy1sXmW/n2uhV5rHJqmSo/OKfqGmdRY6heCefseNXDETfxj86NN0s=,iv:rAIspyGn7IFzXUuZZEPEuBnwRMOwBWwycXPiMXtDEKY=,tag:RISzmjUiV+fR6PUcz9PVDw==,type:str]
+    lastmodified: "2024-08-02T22:57:14Z"
+    mac: ENC[AES256_GCM,data:U9/pKXdqXMvjQgyTIGz0JG+88aBXVgp29Fmm0OE66KMArkX8ungcEtdnGYKhD0gFJKLrKZZY5V8oyAXEq95D+Bh8ZnfmQibYw04cPldc6kTZstsrpbzrWVfn6sqG/ih12oXdsLws+H6IeN+O2qGZHDIVjvPufAdJ3A2X+Yakahg=,iv:mG+dGv3l/PNhggvlujLxDGU5z47qVA9sOTUbU2b2dPo=,tag:Rz2av33iwa9aYR7c0cviEg==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.8.1