add zammad to fw vm, add web-arm machine

2024-08-16 22:42:00 +02:00
parent d46990b7fb
commit f86996cd28
87 changed files with 4681 additions and 135 deletions
--- a/hosts/web-01.cloonar.com/configuration.nix
+++ b/hosts/web-01.cloonar.com/configuration.nix
@@ -47,6 +47,7 @@
    ./sites/module.paraclub.cloonar.dev.nix
    ./sites/gbv-aktuell.cloonar.dev.nix
    ./sites/stage.myhidden.life.nix
+    ./sites/stage.korean-skin.care.nix
  ];

  nixpkgs.config.permittedInsecurePackages = [
--- a/hosts/web-01.cloonar.com/modules/authelia/default.nix
+++ b/hosts/web-01.cloonar.com/modules/authelia/default.nix
@@ -232,6 +232,7 @@
      extraConfig = ''
        allow 127.0.0.1;
        allow 49.12.244.139;
+        allow 77.119.230.30;
        deny all;
      '';
    };
@@ -254,6 +255,7 @@

        # Basic Proxy Config
        proxy_set_header Host $host;
+        proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
--- a/hosts/web-01.cloonar.com/sites/autoconfig.cloonar.com.nix
+++ b/hosts/web-01.cloonar.com/sites/autoconfig.cloonar.com.nix
@@ -30,10 +30,7 @@ in
  services.nginx.virtualHosts."autoconfig.superbros.tv".extraConfig = ''
    return 301 https://autoconfig.cloonar.com$request_uri;
  '';
-  services.nginx.virtualHosts."autoconfig.ghetto.at".extraConfig = ''
-    return 301 https://autoconfig.cloonar.com$request_uri;
-  '';
-  services.nginx.virtualHosts."autoconfig.optiprot.eu".extraConfig = ''
+  services.nginx.virtualHosts."autoconfig.korean-skin.care".extraConfig = ''
    return 301 https://autoconfig.cloonar.com$request_uri;
  '';
 }
--- a/hosts/web-01.cloonar.com/sites/autoconfig.nix
+++ b/hosts/web-01.cloonar.com/sites/autoconfig.nix
@@ -51,6 +51,7 @@ in
  services.nginx.virtualHosts."autoconfig.ghetto.at" = vhostConfig;
  services.nginx.virtualHosts."autoconfig.optiprot.eu" = vhostConfig;
  services.nginx.virtualHosts."autoconfig.superbros.tv" = vhostConfig;
+  services.nginx.virtualHosts."autoconfig.korean-skin.care" = vhostConfig;

  systemd.services."phpfpm-autoconfig".serviceConfig.ProtectHome = lib.mkForce false;

--- a/hosts/web-01.cloonar.com/sites/stage.korean-skin.care.nix
+++ b/hosts/web-01.cloonar.com/sites/stage.korean-skin.care.nix
@@ -0,0 +1,61 @@
+{ pkgs, lib, config, ... }:
+let
+  user = "stage_korean_skin_care";
+  domain = "stage.korean-skin.care";
+  dataDir = "/var/www/${domain}";
+in {
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    acmeRoot = null;
+    root = "${dataDir}";
+
+    locations."/favicon.ico".extraConfig = ''
+      log_not_found off;
+      access_log off;
+    '';
+
+    locations."/".extraConfig = ''
+      index index.html;
+    '';
+
+    locations."~* \.(jpe?g|png)$".extraConfig = ''
+      set $red Z;
+
+      if ($http_accept ~* "webp") {
+          set $red A;
+      }
+
+      if (-f $document_root/webp/$request_uri.webp) {
+          set $red "''${red}B";
+      }
+
+      if ($red = "AB") {
+          add_header Vary Accept;
+          rewrite ^ /webp/$request_uri.webp;
+      }
+    '';
+
+    locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
+     expires 365d;
+     add_header Pragma "public";
+     add_header Cache-Control "public";
+    '';
+
+    locations."~ [^/]\.php(/|$)".extraConfig = ''
+      deny all;
+    '';
+  };
+  users.users."${user}" = {
+    isNormalUser = true;
+    createHome = true;
+    home = dataDir;
+    homeMode= "770";
+    #home = "/home/${domain}";
+    group  = "nginx";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLGkR8JVFtyFnsXTooT/krORpPDdnFk612GW1agaOeG"
+    ];
+  };
+  users.groups.${user} = {};
+}