Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

add zammad to fw vm, add web-arm machine

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2024-08-16 22:42:00 +02:00
parent d46990b7fb
commit f86996cd28
87 changed files with 4681 additions and 135 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
.sops.yaml
View File

@@ -5,9 +5,10 @@
keys:
- &dominik age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
- &dominik2 age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
- &tuxedo age17c4swm58zt07axl5u6kkxrwtr5haqkvu4ye4t98qdph98qdclgtq2cyzkq
- &git-server age106n5n3rrrss45eqqzz8pq90la3kqdtnw63uw0sfa2mahk5xpe30sxs5x58
- &web-01-server age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42
- &web-02 age1gjm4c3swt8u88e36gf2qlg3syxfc0ly94u64c42f2tsf24npw4csa6e4fw
- &web-arm age136s4znrmkheztq6mps46dj5z4avy2umzz3the58fqtlsksvx5skq9ljqgk
- &home-assistant-server age1ezq2j34qngky22enhnslx6hzh4ekwk8dtmn6c9us0uqxqpn7hgpsspjz58
- &ldap-server-test age1azmxsw5llmp2nnsv3yc2l8paelmq9rfepxd8jvmswgsmax0qyyxqdnsc7t
- &testmodules age1zkzpnfeakyvg3fqtyay32sushjx2hqe28y6hs6ss7plemzqjqa5s6s5yu3
@@ -36,12 +37,22 @@ creation_rules:
- *dominik
- *dominik2
- *fw
- path_regex: hosts/fw.cloonar.com/modules/web/[^/]+\.yaml$
key_groups:
- age:
- *dominik
- *web-02
- path_regex: hosts/web-01.cloonar.com/[^/]+\.yaml$
key_groups:
- age:
- *dominik
- *dominik2
- *web-01-server
- path_regex: hosts/web-arm/[^/]+\.yaml$
key_groups:
- age:
- *dominik
- *web-arm
- path_regex: hosts/mail.cloonar.com/[^/]+\.yaml$
key_groups:
- age:
@@ -56,6 +67,7 @@ creation_rules:
- *dominik2
- *git-server
- *web-01-server
- *web-02
- *home-assistant-server
- *ldap-server-arm
- *ldap-server-test

4
fleet.nix
View File

@@ -23,6 +23,10 @@
username = "web-01.cloonar.com";
key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCl7cvUGMmtpVfJ3PB4Rco7V8z83nivst77SgBn+Z3cHgcDJDu9l3L4Q6rv9b6thmEX+Xf0ri6UwDI8UuJro4F9qpCXsTkHres3f/pDZokgfO7bvU2l7ujq6NnAx0qJWdB6oku36x3t2wBnvkDijXLtGPeQbd6c33hECEwA7QszvoBbGi0yFiGsqR5W7o0kiju/LMzCkExeaspFV6DBtEW0qZVMYx+lBIK5Hi/g3vBjbhFdWGz8T2AITcAnGI9n6f+dg3dlMPEHXnF9KRod1EVDnYMxbEp49i98m65F1xAFwOo35WSg48LlV1PK1VusboE3pHgE2VEFmW1J+PVQZ+z0JAaRBv/wSVN0YzuCLfLtUr10K1W23YbT1UVm7FusKpT1KElZ9adfbk6SXVhXnru40VcwqgYfw7naQJzT8aDI9Tnci+z4xCCxrdUF/psDBPD5sfjMPbjdPbt6Jnx1H9ZodiC/sQUtbn6MMbenMSf/AmuUC9xzpXlqCtPmN1dSC+8= root@web-01";
}
{
username = "web-arm";
key = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGzJRWe8hsqAVnGSjPrcheloteWMzORoQ5Gj4IfhCROF";
}
{
username = "mail.cloonar.com";
key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCfEuRazRv8zKWJSq+T3SssgOrkBFu6y/t6uoMNrD3P9WHowRDejo2rBsWFgPszhfgxLpWHiuSZFMG8z+07k5fVTdmbUwx0vXI1lmQ7AxB/CPwBef2Vpb7b8Rq6geejvP8X6UjQWP0rsCMtoX2SeBDTG8bDlyq1U3vYxVY4hery6a9Wu57OI5VbSIHhqQvExo7euz8V7ORsLyT8gi9x3r8gNaKJmvssB6QXXZ7U2sJaAUjhV/BmrZJD5qR9EwqwiMPJ2+SkZ0Vz6CFG6GLyB/ngXPEfclLKK7AzookJy7WepqojjFTzmOBMH903oR+MIpjDECKxgaFtW4xY0A/tj8ZDCBPtP8AKjediOASkAi7eUMPseQKDE0BNLSidC0hlQUe0aPaMeA8b1U86PblzpgF8ntkUPbxhO0AgHKq9fPN+f58f75fryNbhgPRRkeLet1q3hxguEMg2MIg/EqIw862YPWPtGRk0wJHwQU7jx+9BbjdptAVTJo/Cj9vM7mpZphE= root@mail";

9
hosts/fw.cloonar.com/configuration.nix
View File

@@ -25,10 +25,19 @@
./modules/ddclient.nix
./modules/wol.nix
# microvm
./modules/microvm.nix
./modules/gitea-vm.nix
# web
./modules/web
# git
./modules/gitea.nix
# ./modules/fwmetrics.nix
./modules/firefox-sync.nix
# home assistant
./modules/home-assistant
./modules/deconz.nix

5
hosts/fw.cloonar.com/modules/dhcp4.nix
View File

@@ -77,6 +77,11 @@
ip-address = "10.42.97.2";
server-hostname = "omada.cloonar.com";
}
{
hw-address = "02:00:00:00:00:03";
ip-address = "10.42.97.5";
server-hostname = "web-02.cloonar.com";
}
{
hw-address = "ea:db:d4:c1:18:ba";
ip-address = "10.42.97.50";

83
hosts/fw.cloonar.com/modules/firefox-sync.nix Normal file
View File

@@ -0,0 +1,83 @@
{ config, pkgs, ... }:
let
domain = "sync.cloonar.com";
in {
sops.secrets.firefox-sync = { };
security.acme.certs."${domain}" = {
group = "nginx";
};
containers."firefox-sync" = {
autoStart = true;
ephemeral = false; # because of ssh key
privateNetwork = true;
hostBridge = "server";
hostAddress = "10.42.97.1";
localAddress = "10.42.97.51/24";
bindMounts = {
"/run/secrets/firefox-sync" = {
hostPath = "/run/secrets/firefox-sync";
isReadOnly = true;
};
"/var/lib/acme/${domain}/" = {
hostPath = "${config.security.acme.certs.${domain}.directory}";
isReadOnly = true;
};
};
config = { lib, config, pkgs, ... }: {
networking = {
hostName = "firefox-sync";
useHostResolvConf = false;
defaultGateway = {
address = "10.42.97.1";
interface = "eth0";
};
firewall.enable = false;
nameservers = [ "10.42.97.1" ];
};
services.nginx.enable = true;
services.nginx.virtualHosts."${domain}" = {
sslCertificate = "/var/lib/acme/${domain}/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${domain}/key.pem";
sslTrustedCertificate = "/var/lib/acme/${domain}/chain.pem";
listen = [
{
addr = "0.0.0.0";
ssl = true;
port = 5000;
}
];
locations."/" = {
proxyPass = "http://localhost:5001/";
recommendedProxySettings = true;
};
};
services.mysql.package = pkgs.mariadb;
services.firefox-syncserver = {
enable = true;
singleNode = {
enable = true;
enableNginx = false;
hostname = domain;
};
settings = {
port = 5001;
tokenserver.enable = true;
};
secrets = "/run/secrets/firefox-sync";
logLevel = "trace";
};
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
];
system.stateVersion = "23.05";
};
};
}

18
hosts/fw.cloonar.com/modules/firewall.nix
View File

@@ -21,6 +21,7 @@
chain input {
type filter hook input priority filter; policy drop;
iifname "lo" accept comment "trusted interfaces"
iifname "lan" counter accept comment "Spice"
ct state vmap { invalid : drop, established : accept, related : accept, new : jump input-allow, untracked : jump input-allow }
tcp flags syn / fin,syn,rst,ack log prefix "refused connection: " level info
}
@@ -29,7 +30,8 @@
udp dport != { 53, 5353 } ct state new limit rate over 1/second burst 10 packets drop comment "rate limit for new connections"
iifname lo accept
iifname "wan" udp dport 51820 counter accept comment "Wireguard traffic"
iifname { "server", "vserver", "lan", "wg_cloonar" } counter accept comment "allow trusted to router"
iifname "lan" tcp dport 5931 counter accept comment "Spice"
iifname { "server", "vserver", "vm-*", "lan", "wg_cloonar" } counter accept comment "allow trusted to router"
iifname { "multimedia", "smart", "infrastructure", "podman0" } udp dport { 53, 5353 } counter accept comment "DNS"
iifname { "wan", "multimedia" } icmp type { echo-request, destination-unreachable, time-exceeded } counter accept comment "Allow select ICMP"
@@ -82,11 +84,12 @@
iifname "smart" oifname "server" ip daddr 10.42.97.20/32 tcp dport { 1883 } counter accept
# Forward to git server
oifname "server" ip daddr 10.42.97.50 tcp dport { 22, 80, 443 } counter accept
oifname "server" ip daddr 10.42.97.50 tcp dport { 22 } counter accept
oifname "server" ip daddr 10.42.97.5 tcp dport { 80, 443 } counter accept
# lan and vpn to any
# TODO: disable wan when finished
iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar" } counter accept
iifname { "lan", "server", "vserver", "wg_cloonar" } oifname { "lan", "vb-*", "vm-*", "server", "vserver", "infrastructure", "multimedia", "smart", "wg_cloonar" } counter accept
iifname { "lan", "server", "wg_cloonar" } oifname { "wrwks", "wg_epicenter", "wg_ghetto_at" } counter accept
iifname { "infrastructure" } oifname { "server", "vserver" } log prefix "Infrastructure connection: " accept
iifname { "lan", "wan" } udp dport { 8211, 27015 } counter accept comment "palworld"
@@ -97,6 +100,9 @@
oifname "server" ip daddr 10.42.97.201 tcp dport { 27020 } counter accept comment "ark survival evolved"
oifname "server" ip daddr 10.42.97.201 udp dport { 7777, 7778, 27015 } counter accept comment "ark survival evolved"
# firefox-sync
oifname "server" ip daddr 10.42.97.51 tcp dport { 5000 } counter accept comment "firefox-sync"
# allow all established, related
ct state { established, related } accept comment "Allow established traffic"
@@ -112,6 +118,7 @@
"podman*",
"guest",
"vb-*",
"vm-*",
} oifname {
"wan",
} counter accept comment "Allow trusted LAN to WAN"
@@ -125,7 +132,9 @@
content = ''
chain prerouting {
type nat hook prerouting priority filter; policy accept;
iifname "wan" tcp dport { 22, 80, 443 } dnat to 10.42.97.50
iifname "wan" tcp dport { 22 } dnat to 10.42.97.50
iifname "wan" tcp dport { 80, 443 } dnat to 10.42.97.5
iifname "wan" tcp dport { 5000 } dnat to 10.42.97.51
iifname { "wan", "lan" } udp dport { 7777, 7778, 27015 } dnat to 10.42.97.201
iifname { "wan", "lan" } tcp dport { 27020 } dnat to 10.42.97.201
}
@@ -135,6 +144,7 @@
type nat hook postrouting priority filter; policy accept;
oifname { "wan", "wg_cloonar", "wrwks", "wg_epicenter", "wg_ghetto_at" } masquerade
iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.50 masquerade
iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.51 masquerade
iifname { "wan", "wg_cloonar" } ip daddr 10.42.97.201 masquerade
}
'';

169
hosts/fw.cloonar.com/modules/gitea-vm.nix Normal file
View File

@@ -0,0 +1,169 @@
{ nixpkgs, pkgs, ... }: let
hostname = "git-02";
json = pkgs.formats.json { };
in {
microvm.vms = {
gitea = {
config = {
microvm = {
hypervisor = "cloud-hypervisor";
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
{
source = "/var/lib/acme/git.cloonar.com";
mountPoint = "/var/lib/acme/${hostname}.cloonar.com";
tag = "ro-cert";
proto = "virtiofs";
}
];
interfaces = [
{
type = "tap";
id = "vm-${hostname}";
mac = "02:00:00:00:00:01";
}
];
};
imports = [
../fleet.nix
];
environment.systemPackages = with pkgs; [
vim # my preferred editor
];
networking = {
hostName = hostname;
firewall = {
enable = true;
allowedTCPPorts = [ 22 80 443 ];
};
};
services.nginx.enable = true;
services.nginx.virtualHosts."${hostname}.cloonar.com" = {
sslCertificate = "/var/lib/acme/${hostname}.cloonar.com/fullchain.pem";
sslCertificateKey = "/var/lib/acme/${hostname}.cloonar.com/key.pem";
sslTrustedCertificate = "/var/lib/acme/${hostname}.cloonar.com/chain.pem";
forceSSL = true;
locations."/" = {
proxyPass = "http://localhost:3001/";
};
};
services.gitea = {
enable = true;
appName = "Cloonar Gitea server"; # Give the site a name
settings = {
server = {
ROOT_URL = "https://${hostname}.cloonar.com/";
HTTP_PORT = 3001;
DOMAIN = "${hostname}.cloonar.com";
};
openid = {
ENABLE_OPENID_SIGNIN = true;
ENABLE_OPENID_SIGNUP = true;
WHITELISTED_URIS = "auth.cloonar.com";
};
service = {
DISABLE_REGISTRATION = true;
ALLOW_ONLY_EXTERNAL_REGISTRATION = true;
SHOW_REGISTRATION_BUTTON = false;
};
actions.ENABLED=true;
};
};
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
];
system.stateVersion = "22.05";
};
};
gitea-runner = {
config = {
microvm = {
mem = 12288;
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
{
source = "/run/secrets";
mountPoint = "/run/secrets";
tag = "ro-token";
proto = "virtiofs";
}
];
volumes = [
{
image = "rootfs.img";
mountPoint = "/";
size = 102400;
}
];
interfaces = [
{
type = "tap";
id = "vm-gitea-runner";
mac = "02:00:00:00:00:02";
}
];
};
environment.systemPackages = with pkgs; [
vim # my preferred editor
];
networking.hostName = "gitea-runner";
virtualisation.podman.enable = true;
services.gitea-actions-runner.instances.vm = {
enable = true;
url = "https://git.cloonar.com";
name = "vm";
tokenFile = "/run/secrets/gitea-runner-token";
labels = [
"ubuntu-latest:docker://shivammathur/node:latest"
];
settings = {
container = {
network = "podman";
};
};
};
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
];
system.stateVersion = "22.05";
};
};
};
sops.secrets.gitea-runner-token = {};
environment = {
systemPackages = [
pkgs.qemu
pkgs.quickemu
];
};
}

18
hosts/fw.cloonar.com/modules/gitea.nix
View File

@@ -106,21 +106,5 @@ in
};
};
sops.secrets.gitea-runner-token = { };
services.gitea-actions-runner.instances.main = {
enable = true;
url = "https://git.cloonar.com";
name = "main";
tokenFile = "/run/secrets/gitea-runner-token";
labels = [
"ubuntu-latest:docker://shivammathur/node:latest"
];
settings = {
container = {
network = "server";
};
};
};
sops.secrets.gitea-runner = {};
}

39
hosts/fw.cloonar.com/modules/home-assistant/multimedia.nix
View File

@@ -6,6 +6,19 @@
"samsungtv"
];
services.home-assistant.config = {
ios = {
actions = [
{
name = "Home Cinema";
label.text = "Home Cinema";
icon = {
icon = "theater";
color = "#ffffff";
};
show_in_watch = true;
}
];
};
binary_sensor = [
{
name = "xbox";
@@ -290,13 +303,23 @@
];
};
"automation multimedia scene switch" = {
trigger = {
alias = "multimedia scene switch";
trigger = [
{
platform = "event";
event_type = "button_pressed";
event_data = {
id = [ 254 235 105 198 ];
};
}
{
platform = "event";
event_type = "ios.action_fired";
event_data = {
actionName = "Home Cinema";
};
}
];
condition = {
condition = "state";
entity_id = "binary_sensor.multimedia_device_on";
@@ -306,12 +329,22 @@
{
choose = [
{
conditions = [
{
condition = "or";
conditions = [
{
condition = "state";
entity_id = "media_player.android_tv_metz_cloonar_multimedia";
state = "on";
}
{
condition = "state";
entity_id = "media_player.android_tv_metz_cloonar_multimedia";
state = "idle";
}
];
}
];
sequence = [
{
@@ -338,7 +371,7 @@
num_repeats = 1;
delay_secs = 0.4;
hold_secs = 0;
command = "b64:sgAQAhgMGAwZCwcdGQsHHQcdBx0ZCwcdGQsHHQcdGQsZCwcdGQwGHgYeGAwYDAYeBx0GHgcAARgZCxkMGAwGHhkLBh4HHQYeGQsHHRkLBx0GHhkLGQsHHhgMBh4GHhgMGAwGHgcdBh4GAAEZGQwYDBgMBx0YDAYeBx0GHhgMBx0ZCwcdBx0ZCxkMBh4YDAYeBh4YDBgMBh4GHgcdBgABGhgMGAwYDAYeGQsHHQYeBh4YDAYeGAwHHQcdGQwYDAYeGAwGHgYeGAwYDAYeBh4HHQcAARkYDBgMGAwGHhkLBx0HHQcdGQsHHRkMBh0HHRkMGAwGHhgMBh4HHRkLGAwHHQcdBx0HAAEZGAwZCxkLBx0ZDAYdBx0HHRkMBh0ZDAYeBh4YDBgMBh4ZCwcdBx0ZCxkMBh0HHQcdBwABGRkLGQwYDAYeGAwGHgYeBh0ZDAYeGAwHHQcdGQsZDAYdGQwGHQcdGQsZDAYdBx4GHgYAARkZDBgNFwwHHRkMBh0HHQcdGQsHHRkNBR8FHhgMGAwGHRkMBh4GHhkLGA0FHwYdBx4GAAEaGAsZDBgMBh8XDAYeBh4GHhg1EwwGHgcdGAwZDAYeGAwGHgYeGAsZDAYeBh4GHQcAARkZCxkMGAwGHhgMBh4GHgYeGQsHHRgMBx0HHRkLGQwGHhgMBh4GHhkLGQsHHQcdBx0HAAEZGQsYDRgPBAAF3AAAAAAAAAAA";
command = "b64:sQs0AB0JCxsLGx0IHQgLGh0ICxoLGx0JCxodCQobCxoLAAEXHQgdCR0JCxodCQsbCxsLGx0JCxoAAAAA";
};
}
{
@@ -381,7 +414,7 @@
num_repeats = 1;
delay_secs = 0.4;
hold_secs = 0;
command = "b64:sQs0AB0JCxsLGx0IHQgLGh0ICxoLGx0JCxodCQobCxoLAAEXHQgdCR0JCxodCQsbCxsLGx0JCxoAAAAA";
command = "b64:sgBqAgkaBBoJCRsJHBoKGgoJGgQaCQkaBAgbGwoIHAgcGwkJGwgAARkbCRsJGwkJGgQaCgkaBAgbCRsbCQkbGwkJGgQIGxwJGwkJGxsJCRwIHBoKCBsECBsbCAQIGwkAARgbChoKGgoJGxsJCRoECBsJHBsJCRoEGgkJGwkcGgobCQkbGwkJGwkbGwoIHAkbGwkJGwkAARgbCRsJGwoIGxwJCRsJGwkbGwoIGxwIChoKGhwJGwkJHBsJCRsJGxsJCRsJHBsJCRsJAAEYGwkbCRsKCBscCQkbCRsJGxsJCRwbCQkbCRsbCRsJCRscCQgcCRocCQkbCRsbCQobCQABGBsJGwkbCQkbHAkJGwkbCRsbCQkbGwoJGwkbGwkbCQkbGwoIHAkbGwkJGgobGwkKGwkAARccCRsJGwkJHBsJCRsJGwkbGwkJGxsKCRsIHBsJGwkJGxsKCRoJGxwJCRsJGxsJChsIAAEZGwgcCRsJCRscCQkbCRsJGhwJCRscCQkaChsbCRsJCRscCQgcCRocCQkbCRsbCggcCQABGBsJGwkbCggcGwkJGwkbCRsbCggcGgoJGwkbGwkbCggcGwkJGwkbGwkJHAgcGwkJGwkAARgbChoKGgoJGhwJCRsJGwkcGgoJGxsJCRsJGxsJHAkJGxsJCRsJGhwJCRwJGhwJCRsJAAEYGwoaChsJCRsbCQkaChsJGxwJCRsbCQkbCRsbChsJCRsbCQkbCRsbCgkbCRsbCQkcCAABFwQaChsJGwkJGxsKCBwIHAgcGwkJGxsKCBwIGwQaCRsJCRwaCggcCBwbCQkbCRwaCggcCAAF3AAAAAAAAAAAAAAAAAAA";
};
}
{

8
hosts/fw.cloonar.com/modules/microvm.nix Normal file
View File

@@ -0,0 +1,8 @@
{ nixpkgs, ...}:
{
imports = [ (builtins.fetchGit {
url = "https://github.com/astro/microvm.nix";
} + "/nixos-modules/host") ];
systemd.network.networks."31-server".matchConfig.Name = [ "vm-*" ];
}

24
hosts/fw.cloonar.com/modules/networking.nix
View File

@@ -7,6 +7,7 @@
};
systemd.network = {
enable = true;
wait-online.anyInterface = true;
links = {
"10-wan" = {
@@ -18,6 +19,19 @@
linkConfig.Name = "lan";
};
};
netdevs = {
"30-server".netdevConfig = {
Kind = "bridge";
Name = "server";
};
};
networks = {
"31-server" = {
matchConfig.Name = [ "vserver" ];
# Attach to the bridge that was configured above
networkConfig.Bridge = "server";
};
};
};
networking = {
@@ -51,11 +65,11 @@
# interface = "vserver";
# mode = "bridge";
# };
bridges = {
server = {
interfaces = [ "vserver" ];
};
};
# bridges = {
# server = {
# interfaces = [ "vserver" ];
# };
# };
interfaces = {
# Don't request DHCP on the physical interfaces

12
hosts/fw.cloonar.com/modules/podman.nix
View File

@@ -19,15 +19,15 @@ let
in {
users.groups.podman.gid = cids.gids.podman;
virtualisation = {
containers.containersConf.settings = {
containers.dns_servers = [ "10.42.97.1" ];
};
# containers.containersConf.settings = {
# containers.dns_servers = [ "10.42.97.1" ];
# };
podman = {
enable = true;
dockerCompat = true;
defaultNetwork.settings = {
dns_enabled = true; # Enable DNS resolution in the podman network.
};
# defaultNetwork.settings = {
# dns_enabled = true; # Enable DNS resolution in the podman network.
# };
};
};

20
hosts/fw.cloonar.com/modules/postgresql.nix Normal file
View File

@@ -0,0 +1,20 @@
{ config, pkgs, ... }:
{
services.postgresql = {
enable = true;
ensureDatabases = [ "mydatabase" ];
identMap = ''
# ArbitraryMapName systemUser DBUser
superuser_map root postgres
superuser_map postgres postgres
# Let other names login as themselves
superuser_map /^(.*)$ \1
'';
authentication = pkgs.lib.mkOverride 10 ''
#type database DBuser auth-method optional_ident_map
local sameuser all peer map=superuser_map
'';
};
};

27
hosts/fw.cloonar.com/modules/unbound.nix
View File

@@ -2,9 +2,30 @@
let
cids = import ../modules/staticids.nix;
domain = "ns.cloonar.com";
adblockLocalZones = pkgs.stdenv.mkDerivation {
name = "unbound-zones-adblock";
src = (pkgs.fetchFromGitHub {
owner = "StevenBlack";
repo = "hosts";
rev = "3.0.0";
sha256 = "01g6pc9s1ah2w1cbf6bvi424762hkbpbgja9585a0w99cq0n6bxv";
} + "/hosts");
phases = [ "installPhase" ];
installPhase = ''
${pkgs.gawk}/bin/awk '{sub(/\r$/,"")} {sub(/^127\.0\.0\.1/,"0.0.0.0")} BEGIN { OFS = "" } NF == 2 && $1 == "0.0.0.0" { print "local-zone: \"", $2, "\" static"}' $src | tr '[:upper:]' '[:lower:]' | sort -u > $out
'';
};
cfg = {
remote-control.control-enable = true;
server = {
include = [
"\"${adblockLocalZones}\""
];
interface = [ "0.0.0.0" "::0" ];
interface-automatic = "yes";
access-control = [
@@ -32,7 +53,10 @@ let
"\"deconz.cloonar.com IN A 10.42.97.22\""
"\"snapcast.cloonar.com IN A 10.42.97.21\""
"\"home-assistant.cloonar.com IN A 10.42.97.20\""
"\"web-02.cloonar.com IN A 10.42.97.5\""
"\"support.cloonar.com IN A 10.42.97.5\""
"\"git.cloonar.com IN A 10.42.97.50\""
"\"sync.cloonar.com IN A 10.42.97.51\""
"\"stage.wsw.at IN A 10.254.235.22\""
"\"prod.wsw.at IN A 10.254.217.23\""
@@ -71,6 +95,8 @@ let
"\"upgrade-staging.wienwohntbesser.at IN A 10.254.240.110\""
"\"conf.wrwks.at IN A 10.254.240.105\""
"\"web.hilgenberg-gmbh.de IN A 91.107.197.169\""
"\"deconz.cloonar.multimedia IN A 10.42.97.22\""
"\"metz.cloonar.multimedia IN A 10.42.99.10\""
# "\"ps5.cloonar.multimedia IN A 10.42.99.12\""
@@ -216,6 +242,7 @@ in {
group = "unbound";
};
services.resolved.enable = false;
services.unbound = {
enable = true;

113
hosts/fw.cloonar.com/modules/web/default.nix Normal file
View File

@@ -0,0 +1,113 @@
{ lib, nixpkgs, pkgs, ... }: let
hostname = "web-02";
json = pkgs.formats.json { };
impermanence = builtins.fetchTarball "https://github.com/nix-community/impermanence/archive/master.tar.gz";
in {
microvm.vms = {
web = {
config = {
microvm = {
mem = 4096;
# hypervisor = "cloud-hypervisor";
shares = [
{
source = "/nix/store";
mountPoint = "/nix/.ro-store";
tag = "ro-store";
proto = "virtiofs";
}
{
source = "/var/lib/microvms/persist/web-02";
mountPoint = "/persist";
tag = "persist";
proto = "virtiofs";
}
];
volumes = [
{
image = "rootfs.img";
mountPoint = "/";
size = 102400;
}
];
interfaces = [
{
type = "tap";
id = "vm-${hostname}";
mac = "02:00:00:00:00:03";
}
];
};
imports = [
"${impermanence}/nixos.nix"
../../utils/modules/sops.nix
../../utils/modules/lego/lego.nix
# ../../utils/modules/borgbackup.nix
./zammad.nix
./proxies.nix
];
time.timeZone = "Europe/Vienna";
systemd.network.networks."10-lan" = {
matchConfig.PermanentMACAddress = "02:00:00:00:00:03";
address = [ "10.42.97.5/24" ];
gateway = [ "10.42.97.1" ];
dns = [ "10.42.97.1" ];
};
fileSystems."/persist".neededForBoot = lib.mkForce true;
environment.persistence."/persist-local" = {
directories = [
"/var/lib/zammad"
"/var/lib/postgresql"
"/var/log"
"/var/lib/systemd/coredump"
];
};
environment.systemPackages = with pkgs; [
vim # my preferred editor
];
networking.hostName = hostname;
services.openssh = {
enable = true;
hostKeys = [
{
path = "/persist/etc/ssh/ssh_host_ed25519_key";
type = "ed25519";
}
{
path = "/persist/etc/ssh/ssh_host_rsa_key";
type = "rsa";
bits = 4096;
}
];
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
];
# backups
# borgbackup.repo = "u149513-sub2@u149513-sub2.your-backup.de:borg";
sops.age.sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ];
sops.defaultSopsFile = ./secrets.yaml;
networking.firewall = {
enable = true;
allowedTCPPorts = [ 22 80 443 ];
};
system.stateVersion = "22.05";
};
};
};
}

10
hosts/fw.cloonar.com/modules/web/proxies.nix Normal file
View File

@@ -0,0 +1,10 @@
{ ... }: {
services.nginx.virtualHosts."git.cloonar.com" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/" = {
proxyPass = "https://git.cloonar.com/";
};
};
}

32
hosts/fw.cloonar.com/modules/web/secrets.yaml Normal file
View File

@@ -0,0 +1,32 @@
borg-passphrase: ENC[AES256_GCM,data:2WjoqMRmXvW9EGMmpMYhrC0Qt0Dk7QWlbEncZPdK2SxVljEoFibjVEr6jeYdAx6UkaXdjk9pD3PBbls2tWt0TiNQdh8=,iv:bHzASNjqqfPsQ/1w/oM7x0FubAzzRkn+iWrZlenU9rs=,tag:ektqi0rqEywg9YGybPQesw==,type:str]
borg-ssh-key: ENC[AES256_GCM,data:b/xZnUTfi85IG1s897CBF1HD7BTswQUatbotyZfLmbhxXxEyffUeaiGsT9Gh9yQqOKTstTihA48nVk/4ekAPD/ZGDQ189V1BwKkQ5chN9TSULofekfmemhUhVGjnx8OFl6hYYpTttQSTLHtczmfE2iX1JyrZy2Z+H+w6dbZjkYDayRUt/4+5wCtQJ1Nt7bjzwLWhjdVtwDeBLm/kCywVguZLCgyiuqmXMr1h9jpUS7URZegGz1lFs34Ismu1LtaRjFGRyd8aKaTU6PSxDbjE4dQ3Lh1Hm3nhtOrSkswBZLp8OTP6emrQ7c3oJp1zqO5zQHXxD2V5hkPw6ln0Ee1aQp1rvLD8shRXzRbHG+mySvjKLJvLypnNuYfQklqlnhbG+M1/NN13oVF13nHpKwP5q33sRr49mfHw8YHdRhHuhYHVrpy8ep0AmPXiDYCDM4cnlOMnzlH/toF0fq0YRny6QoqKNpaYhmA61MXRPTZCqoAcE1N+oo7HymjJetzL9b2FkPCoDOx989IJ8SUaBJpzR+agNsFi87htVllRp4ozms/m56dI0AdwqeAre00iMBzpVS0hXURE7fqvAnLHQD1goW9XB2mztqcJ09YafrOgTA3oyazWcAjxgV33GupxxIDmwRdLmavvr4qrHfddYctYLPI7VolqT9JmKN6iVG9vYsDutgoyRlhzbGASKPLgcYn9sGG+LBgTHfZyABnYOaUetVP72mhSN30ZZixcCskVlGg5C53wrW5o6mBv+PyG8PimxLmQylbvHUdGGVLQfMpJaaXgpUjBX1MWdQAVa+Nyjm7QwYdRKoCb3suQ6bOq5O9eotel3GPB8gpKzInhNA/0xiB4UyCGp1i21iRS9+Rc7yufo5s3t56k0643K2DhBUVgssiTsG15BbQdX4c1O28i9zwEZ+wVci1yvLX38M0a3tDDt9iW1BIOWehShS7dpyJR2/OgWLFagw9hYP5h24t5k6Gz2ODhPouaFccYDRUBR6UECxA+gDS+trN8iNSX1oWa0ys0XvgwWpJ2CrdSArNqe1BdhM47BQwudiA3RwaEN3wRh5PeykSk/3BUXK+ZdAr0BZ8ij2q4F8zQexLxnrV6xRqofNcVs62iJAjx6g86InSv0nNjLQ9U/fBTL66u1iRZFJhuxPjDNfLJZqT0TvRR7KBcNWTwTuMCGNp5s9TngMUF4uhHx8qGxtjfH58WjixOhC9lgUt7cYEFIeefcwIO9VVnKoiXK5sPIvIsjtLRzGvejYSd0ZwSF3Ly9FkWLkr+o5rs5bXtGMsSQ+BUFg5nM1BqrHIGv9M+F4kPxhnqm9/JXuMSQ+JUzix5N0vHuSTphCayDpMHJYRUEkDEmwPXMyB9zWVmvMb0ByUnfs/n/jmL4WRuggYqchIR3/xuco5HUqLbEKXiJ39wVgy+i3/biWOOEu5BmMx3qbgQ1+6nlxY+f1qpXZ8br0RlXLOQ6L/O9Qa9gKZaxLm/5GCiFZ+SeU/c5OgUndYqTk6FsbDlNurA69IqjwubG345lpdB9VPoGP7dLsx3VaGKW0bvr06oRaeasMx90SN5bGQJH+0iQFkGPhp0m2v31zpBk1IibXi5Qb1OWGXGYd+iNt1ZQF0HVuEqQEXI62x92QkaR7eHowR4tCRF1xH1ZrBkyjtdofUU2wPqsRrOWqGIZWUh/JpfXkSAZQo9yJKnHcp9d3BPEvWpLWS9g1Jfej5XG497aP6crWw5XawOyzi+PEgz2Y3Q0R/MM3S1W2R7Z+21nekbCfghpNylwIX4UYkeX8YorheiumkUfFXjktPSkFCTuUrYAA89WZjIIqd4/gt3tS7keCsjEiTkW2KdDPlzNItKnC8xWnpRc+Wh6ghA/nt3j4POb880j3scFoDjgOv5lNk2Q84S/IW+DQ3U8o4JrKiXsxchDvmgGbU4FbXZTGLXeM1CybmbZKogIHdwJkhC425oqA1PMiq5tDPLKpl2214JuaV4Xd8R0bwCSHYjQp9gqJT9j1Wg/3P0M3/VGZGoJEVriiBl6PBHP2CcvxK1NADDmMHgGQwwfROoSijAzzPKCy9sgzsquTkqzq8q4aChjGKShxs+52dpnmmuygSlxjyVQCEW9kLERf1Nm1arsLkHJ4ZsWgSrskGvjsPEvyEnpY33gGB7fpy90NW0GtELgGzEw/1nfLcFbRBJ7gH+4Dby2fBTxoV2ks9m0Fv6OWsfIe6H54zWLmqB1RkQaskb1wDKU3HATOmuYo/fByLIsMyR5l3P7LXWF5CJOprzp41rGts/ybJEG1EUtmVCs2epTwbeG/Waq1DB3TFa639ETjxOfGQ65PXp5aT1d5v+ko87LiR+0us6xwlfZ6NMRRZuPt4wycFgPUAAmpdmguwDKifHKA258g9kzotT25JeFFEMVhsMi1PoXEqA+sFomdsLt+Vtpr2aGMUWyHD/E2fgAtybLwxbjqDINi8vXWJxv/UZdH8wBOlWLtaeGg5/jRsMuL/hSSZ84Q2zfRVvV7/BZ7wnxfoXmAwRdTZijAvc9TxWszP6E5mAix7s/znU+1vnseJdxWa4Ff1wOGVL/Tem2K0J/mp75XuzSP7nCYDMgqhnvfzlD8vv6QpxtDUAbdTBDyPkQ4U9L6+y5ul5Aegpui+p0G9/0UHdBYhJiFd90omnhSmyHx2pvgUTfbL/Kv/pk7nwTv89a87NXNA9K6AATwx0kUPgIWs/5FGi8leCXGSsgBbJogL1htC72pKzVH6ckEzKeBzRADmwFLhnPIvp37ZkQPj0rrWRhkd5RqsFcN0166N+M4lPD0hzPd2+nEXDAOHoCK7U+BcRcJ3GUlyPU91dbWfo9otPd3naTvGVZuFDxOihLtBXaLTsxmS4STk6DVRjwNmX8YC9FwXkED19xEeH6KkaFs1nVXnmDqpvi2BcueT96t6TOeu5HcA9fAgFTpOKVT6cK2PcHTtJhjrPkfSYr0/ksJdV7r9N4JgAEfiASMMHS5uQWJlyJKWo92rJ2IvSCQx4lcK3gasgcTsVaYmuRORM+6263r4NKS8W8r55XvVyW/C7vvsVq6wF3xUkQadBkxIUQUVWxxCc1pWOlfWwMs0i+ZssoaWopbs7x45z86i+3HsHmfS6GuXUpQfgvXe9Bn7mOj7VQWaG9NIFUpIxisGfdY9L8+RXobo7etD3da7TNMs40BT+34tijcX53FzKwvG3ESNPB2hjOAITDta6LDOHhJrlVqn90p1DicThHOaT3fxt6ST287EhWqK9S1gpkLrp0gNSA9v+K9mBvWaWYNDXY7sGxOIMzCEIdFT18Pra92NhGTJtC0XizHDMUfGx5WAaard1Iy/PYXvavoAwp30qDCQGF+PgwSProa+JtQQPzoEgtSXNVhUWIzz10TACuo+vHt8sHvFG3VuU7jSOr9sqVrN36KMDUlwo0gavHKsjRxHf2OGh552q7AP+sM6Y5WhA4KhmQSUKCVxYVQ==,iv:U3+fjacm8+gZAjPQNz2mjFYTUbLyltTaPiSKb3lvCmk=,tag:ZR6zI1UijDayIvH3v35Hqg==,type:str]
zammad-key-base: ENC[AES256_GCM,data:HO9MuwcwjryuXr5No8sCPfso5bpLtQCoczrC/R214ecVIFwwH1uhMeNO8Tlh6EjRLPo7aVTSz87Vx5yaNVezvHCs55G6TT9mcNS/v/V7sbFz9dNIgbFblY3gFIAa4cViioYc71wdb7d4Tta7qhse5zQ41KhAqCWuGDgFErQA4Oc=,iv:b1wY8fW0psircSlNXwDjPzNWK8NyAMNqegitNcqV6U4=,tag:oQ7nyO9TKOOu6IF7ODzpPA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoUWdTYlRjWDJvemF5Q2sr
VCtrS2dTTGRwUlNIWHd0WkVCRkRMcGhuTzE0ClNic1FmQ05UNWQwbGc4TUFMNGlI
K0RhK2pqUGY3UElmK1pNUEkxV2xGUTQKLS0tIFRORE9JTDRZK0MwZUJoc2xlcHFH
bmp3ZW14TVdCMHhkSi84NE5neDdrY3cKYfgu7aqvG6wQmEFhmzieXFGoQpyffPXj
jiHrAPjBBFy21wdYf0nQXNMzekqOMJwOj0oNA2b5omprPxjB9uns4Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1gjm4c3swt8u88e36gf2qlg3syxfc0ly94u64c42f2tsf24npw4csa6e4fw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUjQxWnBMQXo3QmF1STUw
bHh1NDhvQXZIQ2RiOUx5OU5Wc3BVSEJDUEZVCmVzeFk5SWpMbVV4VUdsRmhiaWwz
bTJDY1pJRXJvNUdCSXJqQ3Byd3lWN2sKLS0tIHRKdXRNc1BYcURBRVNlenk1OEl3
Q05BN0VnQ0haeHBobWhRV0EzL3dLSEkKWlALiX5mvG8y0WUc8yFWMbcpSRrSGoQx
SHaOlDCjYvViZ7GPRLqnSwDGZ1clC6JsTbwKXrMsWdZBKvSO/VIWQw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-08-16T11:12:23Z"
mac: ENC[AES256_GCM,data:nMLxD/WP3LxLTECQ/wQjiDW3F2Lx8yeMTkNIg97eipebVZwTLiVGg4t+sVzen+X3t4tPixO2a72mWMtIVQKs8d2MzkydLh+LjYItUBP+uw/rnCjB0zfxiPN883+FO6q4+BoT0JJc4LUHbgQQWEDnKaqld4/ICE1xJbPZVEJWo40=,iv:JenHaRqB8ZVDRV5rUOgMURflqQzfOrt9pHege2oiT7g=,tag:xv0p2oW1P0FPqcrRoQ/6tw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

120
hosts/fw.cloonar.com/modules/web/zammad.nix Normal file
View File

@@ -0,0 +1,120 @@
{ config, pkgs, ... }:
{
services.zammad = {
enable = true;
port = 3010;
secretKeyBaseFile = config.sops.secrets.zammad-key-base.path;
database = {
createLocally = true;
};
};
services.nginx.enable = true;
services.nginx.virtualHosts."support.cloonar.com" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
extraConfig = ''
# Virtual endpoint created by nginx to forward auth requests.
location /authelia {
internal;
set $upstream_authelia https://auth.cloonar.com/api/verify;
proxy_pass_request_body off;
proxy_pass $upstream_authelia;
proxy_set_header Content-Length "";
# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# [REQUIRED] Needed by Authelia to check authorizations of the resource.
# Provide either X-Original-URL and X-Forwarded-Proto or
# X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
# Those headers will be used by Authelia to deduce the target url of the user.
# Basic Proxy Config
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}
'';
locations."/" = {
proxyPass = "http://127.0.0.1:3010";
proxyWebsockets = true;
extraConfig =
"proxy_set_header X-Forwarded-Proto 'https';" +
"proxy_set_header X-Forwarded-Ssl on;" +
"proxy_connect_timeout 300;" +
"proxy_send_timeout 300;" +
"proxy_read_timeout 300;" +
"send_timeout 300;"
;
};
locations."/auth/sso" = {
proxyPass = "http://127.0.0.1:3010";
proxyWebsockets = true;
extraConfig = ''
# Basic Authelia Config
# Send a subsequent request to Authelia to verify if the user is authenticated
# and has the right permissions to access the resource.
auth_request /authelia;
# Set the `target_url` variable based on the request. It will be used to build the portal
# URL with the correct redirection parameter.
auth_request_set $target_url $scheme://$http_host$request_uri;
# Set the X-Forwarded-User and X-Forwarded-Groups with the headers
# returned by Authelia for the backends which can consume them.
# This is not safe, as the backend must make sure that they come from the
# proxy. In the future, it's gonna be safe to just use OAuth.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name;
proxy_set_header Remote-Email $email;
# If Authelia returns 401, then nginx redirects the user to the login portal.
# If it returns 200, then the request pass through to the backend.
# For other type of errors, nginx will handle them as usual.
error_page 401 =302 https://auth.cloonar.com/?rd=$target_url;
'';
};
locations."/ws" = {
proxyPass = "http://127.0.0.1:6042";
proxyWebsockets = true;
extraConfig =
"proxy_set_header X-Forwarded-Proto 'https';" +
"proxy_set_header X-Forwarded-Ssl on;" +
"proxy_read_timeout 86400;" +
"send_timeout 300;"
;
};
};
sops.secrets = {
zammad-key-base.owner = "zammad";
};
services.postgresqlBackup.enable = true;
services.postgresqlBackup.databases = [ "zammad" ];
}

6
hosts/fw.cloonar.com/secrets.yaml
View File

@@ -6,12 +6,14 @@ wg_cloonar_key: ENC[AES256_GCM,data:Dtp6I5J0jU5LLVwEFU4DFCpUngPRmFMebGXnk2oSwsKt
wg_epicenter_works_key: ENC[AES256_GCM,data:LeLjfwfaz+loWyHYRgIMIPzHzlOnhl9tluKcQFgdes6r+deft1JfnUzDuF0=,iv:DKrc3I+U2hWDH8nnc8ZQeaVtA1eVXu7SXdTn1fxHoH4=,tag:V0PL0GrL2NEPVslAZa801A==,type:str]
wg_epicenter_works_psk: ENC[AES256_GCM,data:Den3NDWdP013Or6/2Vll1igUahuRSNW4hu+nDa5vkr93bbveQTaWFT4TD4U=,iv:r3UsD3+3lUIP2X3Grti7wpXTQBXtu1/MdrycEmpZfsI=,tag:ghbAcxmjGVOe9jCZsmFzjA==,type:str]
wg_ghetto_at_key: ENC[AES256_GCM,data:OIHmoy3SpIi9aefZnZ1PzpyHbEso18ceoTULf2eQkx1rJbaxC6PD1lma7eQ=,iv:u0eFjHHOBzPTmBvBEQsYY5flcBayiAQKd6e7RyiPwJI=,tag:731C9wvv8bA5fuuQq+weVQ==,type:str]
gitea-runner: ENC[AES256_GCM,data:IRx9QzbLJrkF/DYvpVf2012BiSBnHZJe10opkRO2kJuegdb0denW3mvmnU4isoj7jO/0QyN6HZHlHb5ihC7fFl4LavPDVjAAhZPynkpDw9IHFeqZDUSPzxQsq7FibKmfEpEmWEz+Npe8JI1kl694XYV/kqErKa3JrZS7Jm8zFcv7DSY/V5bdy4Is8ZSRtHiP/aVzFdsvjwtissCDnCl7zRZjXUcN0FssvPHBZHxLuc68EoagIw1aVSzkvSVBXer4rFdlefjskFelRnUr3pvm188=,iv:VnvPFDFGz/QyfQmZxQFB3J2ReqaHdRaypb2Vnq7Dthw=,tag:19rx0nlmXLj/6yPRAFGigA==,type:str]
gitea-runner-token: ENC[AES256_GCM,data:Nd0vsnuJficsdZaqeBZXa9vD7PLMdDtV9sMX0TxUSEMNU7Reu3HLCWuvP0easPU=,iv:4mrfQc1tobg/QiExUuWST6iU9TdNwiS1BMmOnQqCFZU=,tag:85aRoD3IkRq3mcoPdLKaBQ==,type:str]
drone: ENC[AES256_GCM,data:S8WTZqGHfcdpSojavZ87GdE5dagcTAdHBVQEbHHgnB4V7aczS6c5QdEJxK920Pjpf6o54OOQYniVsPiiXSxwjExDKPzhs/DG2hfigmf8RgfkP+3tF2W0KiPmV2jxog8w226ZKnI+hSBs8tuIfJBhrpY7Y/YNmTPfq+cnnLS8ibYqytcpzoogI9I8THzHCu3r+yejoGSyTMs9L4gPhOjz5aK4UV6V,iv:zqN/aSBI3xGGNDnpHPGyQnQP2YZOGUk6dAGtON/QlHU=,tag:o9YFDKAB5uR9lPmChyxB8g==,type:str]
home-assistant-ldap: ENC[AES256_GCM,data:uZEPbSnkgQYSd8ev6FD8TRHWWr+vusadtMcvP7KKL2AZAV0h1hga5fODN6I5u0DNL9hq2pNM+FwU0E/svWLRww==,iv:IhmUgSu34NaAY+kUZehx40uymydUYYAyte1aGqQ33/8=,tag:BKFCJPr7Vz4EG78ry/ZD7g==,type:str]
home-assistant-secrets.yaml: ENC[AES256_GCM,data:m7uOVo7hPk/RmqqRS6y7NKoMKsR9Bdi1ntatsZdDOAbJMjZmZL2FgPEHi/zF73zCfRfTOca3dwpulR3WXZ9Ic1sbUIggmusJMg4Gellw1CUhx7SbQN5nieAbPbB9GVxMuV4OakD1u7Swz8JggDT6IwojSnuD5omCRCyUH1wvKB+Re59q6EStderlm5MJNVFlVrbKVbLKLcw4yRgTh34BGnTTjcJmgSlQjO1ciu2B7YQmdl0Fw6d8AdbEzgB5TFG5ONc85UhJDE8Wlw==,iv:GCtpcVChN2UMWtfnWURozCfVj2YbRPqp/bH4Jjntybs=,tag:pcxP7gTBtXMNT5iyW5YXTw==,type:str]
palworld: ENC[AES256_GCM,data:rdqChPt4gSJHS1D60+HJ+4m5mg35JbC+pOmevK21Y95QyAIeyBLVGhRYlOaUcqdZM2e4atyTTSf6z4nHsm539ddCbW7J2DCdF5PQkrAGDmmdTVq+jyJAT8gTrbXXCglT1wvFYY5dbf2NKA4ASJIA8bdVNuwRZU0CtFiishzLuc9m8ZcGCNwQ/+xkMZgkUAHYRlEJAZyMpXR6KkFftiR05JRAFczD4N7GXPPe+vyvgXg7QBGtf20Qd4SGBUw0zI/SNTRmifHUuc4Z6+Fe9JHgvTc3uFcTMVnty0fEuL+a29liaVdAFq8BnqJfc5CNV401ZSUeMbG41lCn1cegP/WChs9J6HXNrhWDgiXa6ln++NoKcfOHIfZVbYOCoOxFR6+YWeBU2+sHmdwI9j5XQf5Ly2hmg12j0Ds2Cn8k4PG5aQP+HT2bedqyxwSt6fi97A0Osnh4ig7+DzYAjSNLewbYLzVdK39VdvB9hqLto+yFS3gAaeYOHwPwtqa+COI85c55lHiyKHlSwPhBqYaaiDu00lQTUzq9R5vz6F/l+T3bUjuna5RryUu8yhnk5DyK834KycTOg4ETcZTqro6prfiEBxc+Utsc9JvEtZgwFv6fsVLOu7nHxuiYuvseZ4YA8LlYdwPJboMPO2XsuhwWtT1uz/rh2orH7/vsXvzA/kF8NFemWBEMVLYA8byC5ze8doiGDYp4T5AAf10nJB1ceQ==,iv:gs78fxhvo9KlTaR5nzs12/LdgPChSFPHD2k4VQp3ARo=,tag:lpWBOi9xh2cWkS+71KD/UQ==,type:str]
ark: ENC[AES256_GCM,data:YYGyzoVIKI9Ac1zGOr0BEpd3fgBsvp1hSwAvfO07/EQdg8ufMWUkNvqNHDKN62ZK5A1NnY3JTA1p4gyZ4ryQeAOsbwqU1GSk2YKHFyPeEnpLz/Ml82KMsv7XPGXuKRXZ4v3UcLu0R8k1Q0gQsMWo4FjCs3FF5mVtJG/YWxxbCYHoBLJ/di5p0DgjuFgJBQknYBpuLzr+yIoeqEyN7XcGYAJO53trEJuOOxLILULifkqISHjZ66i5F1fHW0iUdRbmeWV4aOAeOrsQqXYv,iv:gJwV5ip84zHqpU0l0uESfWWOtcgihMvEEdLaeI+twcU=,tag:sy8udVQsKxV/jOqwhJmWAg==,type:str]
firefox-sync: ENC[AES256_GCM,data:uAJAdyKAuXRuqCFl8742vIejU5RnAPpUxUFCC0s0QeXZR5oH2YOrDh+3vKUmckW4V1cIhSHoe+4+I4HuU5E73DDrJThfIzBEw+spo4HXwZf5KBtu3ujgX6/fSTlPWV7pEsDDsZ0y6ziKPADBDym8yEk0bU9nRedvTBUhVryo3aolzF/c+gJvdeDvKUYa8+8=,iv:yuvE4KG7z7Rp9ZNlLiJ2rh0keed3DuvrELzsfJu4+bs=,tag:HFo1A53Eva31NJ8fRE7TlA==,type:str]
sops:
kms: []
gcp_kms: []
@@ -45,8 +47,8 @@ sops:
ejhXSmVkVjlhRDF3d1JDQlBzd2N3WncK6taU4OsyYoZc5P/2fMrSidLo2tYcH6Yw
tNJRIOqR2Iq1M4ey27jnTdw3NvYKyxjn60ZeW2xcn8CYrpf0X4gLQA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-04-30T23:51:24Z"
mac: ENC[AES256_GCM,data:joDgRM3f4Faimhx/kU3YZmcaouuWlkyr5AniEWGzAsWkipp5XjIJ10gQ7nnu7zhVfTnwJCNoamjdkoAMfeINY6LK/QCVXIxr4821nqlhLbQfKlZYlEei4ryy1sXmW/n2uhV5rHJqmSo/OKfqGmdRY6heCefseNXDETfxj86NN0s=,iv:rAIspyGn7IFzXUuZZEPEuBnwRMOwBWwycXPiMXtDEKY=,tag:RISzmjUiV+fR6PUcz9PVDw==,type:str]
lastmodified: "2024-08-02T22:57:14Z"
mac: ENC[AES256_GCM,data:U9/pKXdqXMvjQgyTIGz0JG+88aBXVgp29Fmm0OE66KMArkX8ungcEtdnGYKhD0gFJKLrKZZY5V8oyAXEq95D+Bh8ZnfmQibYw04cPldc6kTZstsrpbzrWVfn6sqG/ih12oXdsLws+H6IeN+O2qGZHDIVjvPufAdJ3A2X+Yakahg=,iv:mG+dGv3l/PNhggvlujLxDGU5z47qVA9sOTUbU2b2dPo=,tag:Rz2av33iwa9aYR7c0cviEg==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.8.1

4
hosts/mail.cloonar.com/modules/dovecot.nix
View File

@@ -55,6 +55,10 @@ let
doveadm user *@szaku-consulting.at | while read user; do
doveadm -v sync -u $user $SERVER
done
doveadm user *@korean-skin.care | while read user; do
doveadm -v sync -u $user $SERVER
done
'';
quotaWarning = pkgs.writeShellScriptBin "quota-warning.sh" ''

27
hosts/mail.cloonar.com/modules/openldap.nix
View File

@@ -255,6 +255,33 @@ in {
# olcPPolicyHashCleartext = "TRUE";
# };
"olcDatabase={8}mdb".attrs = {
objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
olcDatabase = "{8}mdb";
olcDbDirectory = "/var/lib/openldap/data";
olcSuffix = "dc=korean-skin,dc=care";
olcAccess = [
''
{0}to attrs=userPassword
by self write
by anonymous auth
by dn="cn=owncloud,ou=system,ou=users,dc=cloonar,dc=com" write
by dn="cn=authelia,ou=system,ou=users,dc=cloonar,dc=com" write
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * none
''
''
{1}to *
by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
by * read
''
];
};
# "cn=module{0},cn=config" = {
# attrs = {

12
hosts/nb-new.cloonar.com/configuration.nix
View File

@@ -18,6 +18,7 @@ in {
./utils/modules/sops.nix
./utils/modules/nur.nix
./modules/appimage.nix
./modules/sway/sway.nix
./modules/printer.nix
./modules/nvim/default.nix
@@ -34,6 +35,7 @@ in {
fonts.packages = with pkgs; [
open-sans
];
# nixos cross building qemu
@@ -108,17 +110,19 @@ in {
environment.systemPackages = with pkgs; [
bento
vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
wget
creality-print
docker-compose
drone-cli
git-filter-repo
nix-prefetch-git
openaudible
vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
wget
wireguard-tools
wineWowPackages.stable
wineWowPackages.fonts
winetricks
git-filter-repo
ykfde
nix-prefetch-git
];
environment.variables = {

11
hosts/nb-new.cloonar.com/modules/appimage.nix Normal file
View File

@@ -0,0 +1,11 @@
{ lib, pkgs, ... }:
{
boot.binfmt.registrations.appimage = {
wrapInterpreterInShell = false;
interpreter = "${pkgs.appimage-run}/bin/appimage-run";
recognitionType = "magic";
offset = 0;
mask = ''\xff\xff\xff\xff\x00\x00\x00\x00\xff\xff\xff'';
magicOrExtension = ''\x7fELF....AI\x02'';
};
}

9
hosts/nb-new.cloonar.com/modules/sway/sway.conf
View File

@@ -5,7 +5,7 @@
# i3 config file (v4)
# font for window titles and bar
font pango:Source Sans Pro 10
font pango:Source Sans Pro 15
# use win key
set $mod Mod4
@@ -211,7 +211,7 @@ bindsym $mod+Shift+c reload
bindsym $mod+Shift+r restart
# manage i3 session
bindsym $mod+Shift+e exec swaynag --background f1fa8c --border ffb86c --border-bottom-size 0 --button-background ffb86c --button-text 282a36 -t warning -f "pango:Hack 9" -m "Do you really want to exit?" -B "  Exit " "swaymsg exit" -B "  Lock " "pkill swaynag && swaylock -c 252525 -s center -i ~/.wallpaper.png" -B "  Reboot " "pkill swaynag && reboot" -B "  Shutdown " "pkill swaynag && shutdown -h now" -B " Suspend " "pkill swaynag && systemctl suspend"
bindsym $mod+Shift+e exec swaynag --background f1fa8c --border ffb86c --border-bottom-size 0 --button-background ffb86c --button-text 282a36 -t warning -f "pango:Hack 9" -m "Do you really want to exit?" -B "  Auto Suspend Off " "pkill swayidle" -B "  Exit " "swaymsg exit" -B "  Lock " "pkill swaynag && swaylock -c 252525 -s center -i ~/.wallpaper.png" -B "  Reboot " "pkill swaynag && reboot" -B "  Shutdown " "pkill swaynag && shutdown -h now" -B " Suspend " "pkill swaynag && systemctl suspend"
# resize window
bindsym $mod+r mode "  "
@@ -288,6 +288,9 @@ gaps inner 12
gaps outer 0
# startup applications
exec_always {
gsettings set org.gnome.desktop.interface text-scaling-factor 1.5
}
exec /run/wrappers/bin/gnome-keyring-daemon --start --daemonize
exec dbus-sway-environment
exec configure-gtk
@@ -311,7 +314,7 @@ exec 'sleep 2; swaymsg workspace $ws8; swaymsg layout tabbed'
exec mako --default-timeout=5000
# wallpaper
output eDP-1 scale 1.5
output eDP-1 scale 1
output eDP-1 bg #282a36 solid_color
output eDP-1 bg ~/.wallpaper.png center
output DP-4 bg #282a36 solid_color

18
hosts/nb-new.cloonar.com/modules/sway/sway.nix
View File

@@ -21,6 +21,9 @@ let
unstable = import (fetchTarball https://nixos.org/channels/nixos-unstable/nixexprs.tar.xz) {
config = { allowUnfree = true; };
};
orca-slicer-pin = import (builtins.fetchTarball {
url = "https://github.com/NixOS/nixpkgs/archive/67b4bf1df4ae54d6866d78ccbd1ac7e8a8db8b73.tar.gz";
}) {};
in {
imports = [
./social.nix
@@ -45,25 +48,17 @@ in {
theme = "where_is_my_sddm_theme_qt5";
};
# services.xserver = {
# enable = true;
# excludePackages = [ pkgs.xterm ];
# displayManager.gdm.enable = true;
# displayManager.gdm.wayland = true;
# # displayManager.sddm.enable = true;
# displayManager.sessionPackages = [ pkgs.sway ];
# displayManager.defaultSession = "sway";
# libinput.enable = true;
# };
environment.systemPackages = with pkgs; [
alsaUtils
audacity
apache-directory-studio
bitwarden
bitwarden-cli
rofi-rbw-wayland
cryptomator
quickemu
brave
chromium
firefox
@@ -110,6 +105,7 @@ in {
mqttui
networkmanagerapplet
nextcloud-client
nodejs_22
onlyoffice-bin
pavucontrol
pcmanfm

8
hosts/nb-new.cloonar.com/modules/sway/waybar.css
View File

@@ -1,5 +1,5 @@
* {
font-size: 20px;
font-size: 30px;
font-family: monospace;
}
@@ -33,7 +33,7 @@ window#waybar {
}
#workspaces button {
padding: 0 2px;
padding: 0 4px;
color: #f8f8f2;
}
#workspaces button.focused {
@@ -46,7 +46,7 @@ window#waybar {
#workspaces button:hover {
background: #252525;
border: #252525;
padding: 0 3px;
padding: 0 6px;
}
#network {
@@ -75,5 +75,5 @@ window#waybar {
#cpu,
#battery,
#disk {
padding: 0 10px;
padding: 0 20px;
}

4
hosts/nb-new.cloonar.com/users/configs/project_history
View File

@@ -9,9 +9,11 @@
/home/dominik/projects/cloonar/paraclub/paraclub-module
/home/dominik/projects/cloonar/amz/amz-api
/home/dominik/projects/cloonar/amz/amz-frontend
/home/dominik/projects/cloonar/hilgenberg-website
/home/dominik/projects/cloonar/korean-skin.care
/home/dominik/projects/myhidden.life/myhidden.life-web
/home/dominik/projects/socialgrow.tech/sgt-api
/home/dominik/projects/epicenter.works/campaigntool
/home/dominik/projects/epicenter.works/ewcampaign
/home/dominik/projects/epicenter.works/epicenter.works
/home/dominik/projects/epicenter.works/epicenter-nixos
/home/dominik/projects/epicenter.works/spenden.akvorrat.at

26
hosts/nb-new.cloonar.com/users/dominik.nix
View File

@@ -15,6 +15,7 @@ let
"calendar.ui.version" = 3;
"calendar.timezone.local" = "Europe/Vienna";
"calendar.week.start" = 1;
"layout.css.devPixelsPerPx" = "1.5";
};
thunderbirdCalendarPersonal = {
@@ -68,12 +69,20 @@ let
"devtools.toolbox.host" = "right";
"browser.uiCustomization.state" = "{\"placements\":{\"widget-overflow-fixed-list\":[],\"unified-extensions-area\":[],\"nav-bar\":[\"back-button\",\"forward-button\",\"stop-reload-button\",\"urlbar-container\",\"downloads-button\",\"screenshot-button\",\"ublock0_raymondhill_net-browser-action\",\"jid1-mnnxcxisbpnsxq_jetpack-browser-action\",\"_d634138d-c276-4fc8-924b-40a0ea21d284_-browser-action\",\"_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action\",\"_testpilot-containers-browser-action\",\"unified-extensions-button\"],\"toolbar-menubar\":[\"menubar-items\"],\"TabsToolbar\":[\"firefox-view-button\",\"tabbrowser-tabs\",\"new-tab-button\",\"alltabs-button\"],\"PersonalToolbar\":[\"import-button\",\"personal-bookmarks\"]},\"seen\":[\"save-to-pocket-button\",\"_d634138d-c276-4fc8-924b-40a0ea21d284_-browser-action\",\"_testpilot-containers-browser-action\",\"_446900e4-71c2-419f-a6a7-df9c091e268b_-browser-action\",\"ublock0_raymondhill_net-browser-action\",\"jid1-mnnxcxisbpnsxq_jetpack-browser-action\",\"developer-button\"],\"dirtyAreaCache\":[\"unified-extensions-area\",\"nav-bar\",\"PersonalToolbar\"],\"currentVersion\":20,\"newElementCount\":3}";
"signon.rememberSignons" = false;
"identity.sync.tokenserver.uri" = "https://sync.cloonar.com:5000/token/1.0/sync/1.5";
# "toolkit.legacyUserProfileCustomizations.stylesheets" = true;
"layout.css.devPixelsPerPx" = "1.5";
};
firefoxUserChrome = ''
* {
font-size: 16pt !important
}
'';
firefoxExtensions = with pkgs.nur.repos.rycee.firefox-addons; [
bitwarden
multi-account-containers
onepassword-password-manager
privacy-badger
ublock-origin
];
@@ -91,9 +100,11 @@ in
allowOther = true;
directories = [
".ApacheDirectoryStudio"
".config/Creality"
".config/github-copilot"
".config/libreoffice"
".config/Nextcloud"
".config/OrcaSlicer"
".config/rustdesk"
".config/Signal"
".config/sops"
@@ -103,6 +114,7 @@ in
".thunderbird"
"cloud.cloonar.com"
"cloud.epicenter.works"
"OpenAudible"
"projects"
"go"
];
@@ -282,6 +294,7 @@ in
id = 0;
isDefault = true;
settings = firefoxSettings;
userChrome = firefoxUserChrome;
search.default = "DuckDuckGo";
search.privateDefault = "DuckDuckGo";
search.force = true;
@@ -290,6 +303,7 @@ in
social = {
id = 1;
settings = firefoxSettings;
userChrome = firefoxUserChrome;
search.default = "DuckDuckGo";
search.privateDefault = "DuckDuckGo";
search.force = true;
@@ -345,13 +359,15 @@ in
git clone gitea@git.cloonar.com:Paraclub/module.git /nix/persist/user/dominik/projects/cloonar/paraclub/paraclub-module 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/amz-api.git /nix/persist/user/dominik/projects/cloonar/amz/amz-api 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/amz-frontend.git /nix/persist/user/dominik/projects/cloonar/amz/amz-frontend 2>/dev/null
git clone gitea@git.cloonar.com:hilgenberg/website.git /nix/persist/user/dominik/projects/cloonar/hilgenberg-website 2>/dev/null
git clone gitea@git.cloonar.com:Cloonar/korean-skin.care.git /nix/persist/user/dominik/projects/cloonar/korean-skin.care 2>/dev/null
git clone gitea@git.cloonar.com:myhidden.life/web.git /nix/persist/user/dominik/projects/myhidden.life/myhidden.life-web 2>/dev/null
git clone gitea@git.cloonar.com:socialgrow.tech/sgt-api.git /nix/persist/user/dominik/projects/socialgrow.tech/sgt-api 2>/dev/null
ssh-keygen -R gitlab.epicenter.works
ssh-keyscan gitlab.epicenter.works >> ~/.ssh/known_hosts
git clone git@gitlab.epicenter.works:epicenter.works/campaigntool.git /nix/persist/user/dominik/projects/epicenter.works/campaigntool 2>/dev/null
git clone git@github.com:AKVorrat/ewcampaign.git /nix/persist/user/dominik/projects/epicenter.works/ewcampaign 2>/dev/null
git clone git@gitlab.epicenter.works:epicenter.works/website.git /nix/persist/user/dominik/projects/epicenter.works/epicenter.works 2>/dev/null
git clone git@gitlab.epicenter.works:epicenter.works/nixos.git /nix/persist/user/dominik/projects/epicenter.works/epicenter-nixos 2>/dev/null
git clone git@github.com:AKVorrat/spenden.akvorrat.at.git /nix/persist/user/dominik/projects/epicenter.works/spenden.akvorrat.at 2>/dev/null
@@ -413,6 +429,12 @@ in
TERM = "xterm-256color";
};
};
"*.hilgenberg-gmbh.de" = {
user = "root";
setEnv = {
TERM = "xterm-256color";
};
};
"amz-websrv-01.amz.at" = {
user = "ebs";
};

1
hosts/web-01.cloonar.com/configuration.nix
View File

@@ -47,6 +47,7 @@
./sites/module.paraclub.cloonar.dev.nix
./sites/gbv-aktuell.cloonar.dev.nix
./sites/stage.myhidden.life.nix
./sites/stage.korean-skin.care.nix
];
nixpkgs.config.permittedInsecurePackages = [

2
hosts/web-01.cloonar.com/modules/authelia/default.nix
View File

@@ -232,6 +232,7 @@
extraConfig = ''
allow 127.0.0.1;
allow 49.12.244.139;
allow 77.119.230.30;
deny all;
'';
};
@@ -254,6 +255,7 @@
# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

5
hosts/web-01.cloonar.com/sites/autoconfig.cloonar.com.nix
View File

@@ -30,10 +30,7 @@ in
services.nginx.virtualHosts."autoconfig.superbros.tv".extraConfig = ''
return 301 https://autoconfig.cloonar.com$request_uri;
'';
services.nginx.virtualHosts."autoconfig.ghetto.at".extraConfig = ''
return 301 https://autoconfig.cloonar.com$request_uri;
'';
services.nginx.virtualHosts."autoconfig.optiprot.eu".extraConfig = ''
services.nginx.virtualHosts."autoconfig.korean-skin.care".extraConfig = ''
return 301 https://autoconfig.cloonar.com$request_uri;
'';
}

1
hosts/web-01.cloonar.com/sites/autoconfig.nix
View File

@@ -51,6 +51,7 @@ in
services.nginx.virtualHosts."autoconfig.ghetto.at" = vhostConfig;
services.nginx.virtualHosts."autoconfig.optiprot.eu" = vhostConfig;
services.nginx.virtualHosts."autoconfig.superbros.tv" = vhostConfig;
services.nginx.virtualHosts."autoconfig.korean-skin.care" = vhostConfig;
systemd.services."phpfpm-autoconfig".serviceConfig.ProtectHome = lib.mkForce false;

61
hosts/web-01.cloonar.com/sites/stage.korean-skin.care.nix Normal file
View File

@@ -0,0 +1,61 @@
{ pkgs, lib, config, ... }:
let
user = "stage_korean_skin_care";
domain = "stage.korean-skin.care";
dataDir = "/var/www/${domain}";
in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
root = "${dataDir}";
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
locations."/".extraConfig = ''
index index.html;
'';
locations."~* \.(jpe?g|png)$".extraConfig = ''
set $red Z;
if ($http_accept ~* "webp") {
set $red A;
}
if (-f $document_root/webp/$request_uri.webp) {
set $red "''${red}B";
}
if ($red = "AB") {
add_header Vary Accept;
rewrite ^ /webp/$request_uri.webp;
}
'';
locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
expires 365d;
add_header Pragma "public";
add_header Cache-Control "public";
'';
locations."~ [^/]\.php(/|$)".extraConfig = ''
deny all;
'';
};
users.users."${user}" = {
isNormalUser = true;
createHome = true;
home = dataDir;
homeMode= "770";
#home = "/home/${domain}";
group = "nginx";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLGkR8JVFtyFnsXTooT/krORpPDdnFk612GW1agaOeG"
];
};
users.groups.${user} = {};
}

1
hosts/web-arm/channel Normal file
View File

@@ -0,0 +1 @@
https://channels.nixos.org/nixos-24.05

83
hosts/web-arm/configuration.nix Normal file
View File

@@ -0,0 +1,83 @@
{ ... }: {
imports = [
./utils/bento.nix
./utils/modules/sops.nix
./utils/modules/lego/lego.nix
./modules/mysql.nix
./utils/modules/nginx.nix
./modules/bitwarden
./modules/authelia
./modules/collabora.nix
# ./modules/nextcloud
./modules/rustdesk.nix
./modules/postgresql.nix
./modules/grafana.nix
./modules/loki.nix
./modules/victoriametrics.nix
./utils/modules/autoupgrade.nix
./utils/modules/promtail
./utils/modules/borgbackup.nix
./utils/modules/netdata.nix
./hardware-configuration.nix
./modules/web/typo3.nix
./modules/web/stack.nix
./sites/autoconfig.cloonar.com.nix
./sites/cloonar.com.nix
./sites/gbv-aktuell.at.nix
./sites/matomo.cloonar.com.nix
./sites/cloonar.dev.nix
./sites/paraclub.cloonar.dev.nix
./sites/api.paraclub.cloonar.dev.nix
./sites/tandem.paraclub.cloonar.dev.nix
./sites/module.paraclub.cloonar.dev.nix
./sites/gbv-aktuell.cloonar.dev.nix
./sites/stage.myhidden.life.nix
./sites/stage.korean-skin.care.nix
];
nixpkgs.config.permittedInsecurePackages = [
"openssl-1.1.1v"
"openssl-1.1.1w"
];
time.timeZone = "Europe/Vienna";
services.logind.extraConfig = "RuntimeDirectorySize=2G";
sops.age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
sops.defaultSopsFile = ./secrets.yaml;
nix.gc = {
automatic = true;
options = "--delete-older-than 60d";
};
boot.tmp.cleanOnBoot = true;
zramSwap.enable = true;
networking.hostName = "web-arm";
services.openssh.enable = true;
users.users.root.openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN/2SAFm50kraB1fepAizox/QRXxB7WbqVbH+5OPalDT47VIJGNKOKhixQoqhABHxEoLxdf/C83wxlCVlPV9poLfDgVkA3Lyt5r3tSFQ6QjjOJAgchWamMsxxyGBedhKvhiEzcr/Lxytnoz3kjDG8fqQJwEpdqMmJoMUfyL2Rqp16u+FQ7d5aJtwO8EUqovhMaNO7rggjPpV/uMOg+tBxxmscliN7DLuP4EMTA/FwXVzcFNbOx3K9BdpMRAaSJt4SWcJO2cS2KHA5n/H+PQI7nz5KN3Yr/upJN5fROhi/SHvK39QOx12Pv7FCuWlc+oR68vLaoCKYhnkl3DnCfc7A7"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQuPqH5fdX3KEw7DXzWEdO3AlUn1oSmtJtHB71ICoH Generated By Termius"
];
# backups
borgbackup.repo = "u149513-sub5@u149513-sub5.your-backup.de:borg";
services.borgbackup.jobs.default.startAt = "Fri 2012-11-23 11:12:13"
networking.firewall = {
enable = true;
allowedTCPPorts = [ 22 80 443 ];
};
system.stateVersion = "22.05";
}

1
hosts/web-arm/fleet.nix Symbolic link
View File

@@ -0,0 +1 @@
../../fleet.nix

9
hosts/web-arm/hardware-configuration.nix Normal file
View File

@@ -0,0 +1,9 @@
{ modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot.loader.grub.device = "/dev/sda";
boot.initrd.availableKernelModules = [ "ata_piix" "uhci_hcd" "vmw_pvscsi" "xen_blkfront" ];
boot.initrd.kernelModules = [ "nvme" ];
fileSystems."/" = { device = "/dev/sda1"; fsType = "ext4"; };
}

281
hosts/web-arm/modules/authelia/default.nix Normal file
View File

@@ -0,0 +1,281 @@
{ config, ... }:
{
sops.secrets.authelia-jwt-secret = {
owner = "authelia-main";
sopsFile = ./secrets.yaml;
};
sops.secrets.authelia-backend-ldap-password = {
owner = "authelia-main";
sopsFile = ./secrets.yaml;
};
sops.secrets.authelia-storage-encryption-key = {
owner = "authelia-main";
sopsFile = ./secrets.yaml;
};
sops.secrets.authelia-session-secret = {
owner = "authelia-main";
sopsFile = ./secrets.yaml;
};
sops.secrets.authelia-identity-providers-oidc-hmac-secret = {
owner = "authelia-main";
sopsFile = ./secrets.yaml;
};
sops.secrets.authelia-identity-providers-oidc-issuer-certificate-chain = {
owner = "authelia-main";
sopsFile = ./secrets.yaml;
};
sops.secrets.authelia-identity-providers-oidc-issuer-private-key = {
owner = "authelia-main";
sopsFile = ./secrets.yaml;
};
services.authelia.instances.main = {
enable = true;
secrets = {
jwtSecretFile = config.sops.secrets.authelia-jwt-secret.path;
storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption-key.path;
sessionSecretFile = config.sops.secrets.authelia-session-secret.path;
oidcHmacSecretFile = config.sops.secrets.authelia-identity-providers-oidc-hmac-secret.path;
oidcIssuerPrivateKeyFile = config.sops.secrets.authelia-identity-providers-oidc-issuer-private-key.path;
};
environmentVariables = {
"AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE" = config.sops.secrets.authelia-backend-ldap-password.path;
"AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE" = config.sops.secrets.authelia-backend-ldap-password.path;
};
settings = {
theme = "dark";
default_redirection_url = "https://cloonar.com";
server = {
host = "127.0.0.1";
port = 9091;
};
# log = {
# level = "debug";
# format = "text";
# };
authentication_backend = {
ldap = {
url = "ldaps://ldap.cloonar.com";
base_dn = "DC=cloonar,DC=com";
additional_users_dn = "OU=users";
users_filter = "(&({username_attribute}={input})(objectClass=person))";
username_attribute = "mail";
mail_attribute = "mail";
display_name_attribute = "cn";
additional_groups_dn = "OU=groups";
groups_filter = "(&(member={dn})(objectClass=groupOfNames))";
group_name_attribute = "cn";
permit_referrals = false;
permit_unauthenticated_bind = false;
user = "cn=authelia,ou=system,ou=users,dc=cloonar,dc=com";
};
};
webauthn = {
disable = false;
display_name = "Authelia";
attestation_conveyance_preference = "indirect";
user_verification = "preferred";
timeout = "60s";
};
totp = {
disable = false;
issuer = "auth.cloonar.com";
algorithm = "sha1";
digits = 6;
period = 30;
skew = 1;
secret_size = 32;
};
access_control = {
default_policy = "deny";
rules = [
{
domain = ["auth.cloonar.com"];
policy = "bypass";
}
{
domain = ["*.cloonar.com"];
policy = "two_factor";
}
];
};
session = {
name = "authelia_session";
expiration = "12h";
inactivity = "45m";
remember_me_duration = "1M";
domain = "cloonar.com";
# todo: enable with 4.38
# cookies = [
# {
# domain = "cloonar.com";
# }
# {
# domain = "cloonar.dev";
# }
# {
# domain = "gbv-aktuell.at";
# same_site = "strict";
# }
# ];
};
regulation = {
max_retries = 3;
find_time = "5m";
ban_time = "15m";
};
storage = {
# mysql = {
# host = "/run/mysqld/mysqld.sock'";
# port = 3306;
# database = "authelia_main";
# username = "authelia_main";
# password = "socket_auth";
# timeout = "5s";
# };
local = {
path = "/var/lib/authelia-main/db.sqlite3";
};
};
notifier = {
disable_startup_check = false;
# filesystem = {
# filename = "/var/lib/authelia-main/notification.txt";
# };
smtp = {
host = "mail.cloonar.com";
port = 25;
username = "authelia@cloonar.com";
sender = "Authelia <authelia@cloonar.com>";
};
};
identity_providers = {
oidc = {
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
## See: https://www.authelia.com/c/oidc
clients = [
{
id = "gitea";
description = "Gitea";
secret = "$pbkdf2-sha512$310000$ngFGgCoDClB0xPLxxMJ.Qw$hFuXXizjiC73gZtwi2bPBHzpX8/1GmR8ux1aAz9esVhPEgB58d/vB2jLFKyc13mFJx7qc0ErIdla4/K0CsvM.A";
public = false;
authorization_policy = "one_factor";
redirect_uris = [ "https://git.cloonar.com/user/oauth2/authelia/callback" ];
pre_configured_consent_duration = "1y";
scopes = [
"openid"
"profile"
"email"
];
userinfo_signing_algorithm = "none";
}
{
id = "nextcloud";
description = "Nextcloud";
secret = "$pbkdf2-sha512$310000$UqX35Fh.7uTZLQqD.mk5wg$e139D4g9SGUFc.ZdKt3RAZljC8A7C9nixUQd7rQoHFMKop643SuwfazjNn0ehdyAjydM2zV.KzKnMLgSajo.xw";
public = false;
authorization_policy = "one_factor";
redirect_uris = [
"https://nextcloud.cloonar.com/apps/oidc_login/oidc"
"https://cloud.cloonar.com/apps/user_oidc/code"
];
pre_configured_consent_duration = "1y";
scopes = [
"openid"
"profile"
"email"
"groups"
];
userinfo_signing_algorithm = "none";
}
{
id = "grafana";
description = "Grafana";
secret = "$pbkdf2-sha512$310000$TP7.qfcevrHJFGcIMdZgGw$mLQ.AC5M28ETouxyiCeRkenQuKPvH0.oF1exp6LXBpleV56PI6sWrwmBgD7sMsHrMbkvCX4lNPx0vMf0urVpYA";
public = false;
authorization_policy = "one_factor";
redirect_uris = [ "https://grafana.cloonar.com/login/generic_oauth" ];
pre_configured_consent_duration = "1y";
scopes = [
"openid"
"profile"
"email"
"groups"
];
userinfo_signing_algorithm = "none";
}
];
};
};
};
};
services.nginx.virtualHosts."auth.cloonar.com" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations."/api/verify" = {
proxyPass = "http://127.0.0.1:9091";
proxyWebsockets = true;
extraConfig = ''
allow 127.0.0.1;
allow 49.12.244.139;
allow 77.119.230.30;
deny all;
'';
};
locations."/" = {
proxyPass = "http://127.0.0.1:9091";
proxyWebsockets = true;
extraConfig = ''
client_body_buffer_size 128k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.0.0.0/8;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
'';
};
};
}

45
hosts/web-arm/modules/authelia/secrets.yaml Normal file
View File

@@ -0,0 +1,45 @@
authelia-jwt-secret: ENC[AES256_GCM,data:+4mCRAbPYeuxZwPxIWdzym9M0soVRJGZOHpBLFp1dsienOes6PcF6DhkzLwx1g/2KYQBrWq5QtNyysLkl32mNg==,iv:3354Ww7D1fQAVZh8xlJo3W9VaLTC6sUxXpNzwFYGZPg=,tag:NjPuHi4R+I3CJ09ZbV1Cbw==,type:str]
authelia-backend-ldap-password: ENC[AES256_GCM,data:AJ5/lQxxQ0PjPpja4Lm7Qbn4rrZ/fapFeTO9nXsXpYC7cSgPDmGL4LG6QTFrgHpJU4FGEyFhWUYf/BZvHFLA2A==,iv:/w3SlYC74vSV/hkOdp2wb50beSTaokQC9C1ogs82nxo=,tag:b5M78WOUgHcydoJTKiAAOQ==,type:str]
authelia-storage-encryption-key: ENC[AES256_GCM,data:I3ek+p0faJUUjS3ULeeLzsrsl03MKlHwrC+R3IqrJ2P9AbJmMBvvXnqLx2H2THkjGiqN3kLgrhnmInn+BnCgYg==,iv:EiZpXbkyC3tbdzcp20hV6ctAJdB9tlgxT3gI7wiqSZc=,tag:qqG02RJAizr2jlGV0JnStA==,type:str]
authelia-session-secret: ENC[AES256_GCM,data:+hljRSv4nABWg+vEOhYM27h9Gu1FCqcWWa51VqlN1r8AE79S78Uq2txWL7bZKql/fxmaguTLwk18xkHIAvIEsA==,iv:RoytV5jWIUDq6olp8rWAc0NRC4f1FLL43EpTzcXZ3eg=,tag:vIvDVRSqlVt/W/52vuDDZA==,type:str]
authelia-identity-providers-oidc-hmac-secret: ENC[AES256_GCM,data:yyqauvp+/8ufhCaZ1o0DWn4Nx1rdTW8C1HRVAtyCRuBaQA/yFVmZkwFVbnIDC3TrmuEMc2MXzVCREbdDsEqkGm6LJAB4Eq31NyhhbAtKufeqKHhMgEF4d41K71V//FJn2/ZBY6CaR1Ke0rX3p/Rpwk0rwddikkUmdJ7i7w9ayP8=,iv:ONBU0uWEUeQxQCGmHtGOySuLmTnJlAx//lQcK32i1Gs=,tag:Tk2BbYZSqbJRc/2cj8yxHQ==,type:str]
authelia-identity-providers-oidc-issuer-certificate-chain: ENC[AES256_GCM,data:oQwBKE0VjTIKYWOGKFtLwkOkjTh16gf5lJvMEEVs3Sy/+gmyGGmnDHm+xv9aT7Mmq9wSM7SVBe39yT5K9bUd0vGXO2Ze5V55B+B+9bAPKUL4rPNQAeSy3QCJPh6EoG3urDD/HUklV8QCprgTlokdgVgY3fv3be2Y1oOdiZDvbacol6OlcRXSi8ZqMro+f15e44j8NGhzsSahhzOLtmiRGLr5zWnzk8b221HZWtjSdG4rLrtcCZ1UjvvUX5pf8J5PI/9X4S6J7pglG+IlI0WGSHvQ9BXGQqWgmWky/3+hnC/B3ZPm3bz5CqMHzsdx/QmiCtQQf08GOoan/3rgp3pAu5J5TPDldnzEQkWPjciOMp4ewlu4nC1AViat7DH8wFtV9IpixEZm3fMidpPBpkTTRZMCy6AstNlPMvvvRDN/6nJypN++gvkBw3OJac2xBdtbdF5uC9nIrZqWENLnOn4623/C8yJJ8a2l1W1FF95hHiZDQKua+kB4CfFJSFxhtcWj3vcCzv7QIGHZPTIVn+aCozb4CdOegLswCuY9g5ncHfOnqIhSCY3Bc2xbd5GO7kVRvqT79abwHsAdArdDJAE4Fq3mNJG9/fy0N31GW4qKMTb3W5EgEt/2OtfsUn8MwHJV9BGPMeZhpn9hdzkXo9vmakVMKNoK4SEgZmFiKCj/uwhwdvJfYMRvl/n1DSpy8mxzKWt1IO9FD5HRUhkKeas6spOSyzbi4FTJJmJb9NQ5gzAcfTXs8C49S/DSocRwUHvQMvRIRZzBejxFKdnwGxwIJiVDY/04FWAjMR4HgxkCBvo9x+CxajnCw/S9g02uY85vxW1ZURi9wUK9Q9nbEyMu1IGWadhVO6fKvqWr9rVZ6tqqJ7FP81LKca80nkY+6Elec6l6u01Lzb4pLA6MFLyJbCE97+Vmoh056N73RNapWP6G3Txs2CvtzqWdup0J4xpwAxoEqVlnkBQ61abucZH9veMoq4gvxM90S+bBX7c6A+FYRha/PXovRL/SZWEfuKlVDeLQyb2IwQ==,iv:jhnNkcLXN3pHx6S8g78+R6X+ckhOF35QK615zcH2gqI=,tag:JSHDo9nbBbhpiQFSrLuDdg==,type:str]
authelia-identity-providers-oidc-issuer-private-key: ENC[AES256_GCM,data:Et0DaniERibvBeRBmJR5zsBXRpB4yAjQpLRlJc/8+sSZ1RymDelD689/7ETe1QwBZzOxJf35dMbjBmUjcpcxl7iLiujVtd4DR8hirAwYv1HTk4WLbrTOuVhX9O/yWcdfnrn4e4MlBme54HLkeKt5F9xQ+/XvRPkuY+E+zlVd9K2rgdKuPRB4GSkW8AH55P10ts4ICN7hayFLfKWRNjs2LR3JtE/cRppe6Gse61/CG7HWlAlcTYddpYUbIGIaB9yrW3QcV11sTuJ9KpuU/jE6i/0dOosYqPLVUfShMjjnnpnk1wYmaL7F5Ibljk9g1Fzqm1Vwl/S98PYYgt98zOAuMo9djogORpI7in5tV+JoT5V/Lk3Uq3MvkalpdHJShVHUuuJPMMaFjlONS0y2ZYTyWasrwGI9KUYoKtWq5oqrHJkjtWNSagJqRMPBNK/RRtiIxBWwsWMpIlUcks/rZF+CiHKnm/Zb6a+dNsdhqz3qVCI33ry5Wmy6YdTaDBPWv3iFXLz0skVMXCN5vV7PQ86c6yRbEo5HzGdJxxdIacTZ7JLzECPS2MuWGoTKH0VwQgx3qvuMyi0r7/1VwCBGjZkO6vxie5yYlMA1AveepE+8zxCSbLuUMzC5DDVYk98SH2qNL5BZXm2mkRXxBXkQ37SOtnONNqYwvRD9wNWpSBkIumgRG3k3NEcwPwLnrCgNAlev4sXG+DUDgHy4SZ518shGkafUNncst9odQaGvx5EeSD3ItjRptFuPSU554ZZy8bV3wau8enzRP2R47sSg7jW+y0NslCwdVam2SpiXrgqeghplQCNP8uS1Py3DFf8pDOIy/9gV3kjPEOs/RNbv/2bIS20lQbEoMOotk8BHeM5/QytrArnkDcfB4d7FPWRT/Sw2imLQ8A7Q7PidhwEuugfWI6HjSW2bsW+zSf/gdG30ragEgkW9WpTAD6rbLdLdYMYa233zs9b/K6qYAoqEVjJWc+OnCTZ6PTr76Gq/kaIrJ3UlWNJadgCSNMkVs7vNYnczwGQJiaqTnAaB2yuXkIAsC6QIf83G6Z9nw5kFoyWZR5Eytfl/uU9lxv4TrvLtfEqJrdaaYXdAfefpZKmFrQJMeyoJj3ven0j61qmIiBDbkoYkNaBWQJl/mOy+lJ8J2ZaQ62cqVQCFkpcrAWdaxEHCrTu1djfCOGVqQ5d5o1E/GQiAAVgRBQtgv94PCIeCurAUtoWumfBF1wi0h1HMdJd8yZ6MgGXpPoOIZcWc1SRGkNVuoiobdfXO4fyNcJAM+XnOfJ4xO17PhnwBbaM5ECX1TRKbEyc5V36QfD5Fo/VaVOFIDt0KfxIHUxydxa83RpEYV4s13C0I+/hoULtNIDl9KNxaaT4Klq/6HL2jIaCwlRNlb1mc1lhkgaJobXygi/8iW2yyPIoSZQJKsYZhlildGTBlxrlhSDZ+3Dy1RAIRO+cvSr5/eM44xgV8DUs+z9nb+j3Kefl7qn4QBNIEWZkTcLokw/qp58O1EK/h4vays37A1628wfuCDOBSBOPZjtuX9jFg64tcZWZ6rwlVRd5RsMq9iW9MoGcfHvN6DAYTifEs7yiwZdng50OHu1k6/UJ1/LI1mVx7r+//S3rd88fQa76uosBuN5XqDrQiK+iPj3E8rThMJkeR7Hh0yUrkGBAJCs140yFTJeSt+vr6CsqSLy2RR7tb1C2wNm40F7N37Vi1rHm5jzSakm4TPd6aY3kqis6nXavnxUQHO3BKnx0ceQVoz8jqIiy1mjzVwafAn6s/ap6Fzv+sNc/zs++Mod59YnGyqKaeOkoAcmVuWgV7l4VHf1Q/K3o5ri14CHpSqkjBlL9zD3Lh1B0cQNCwHJeIKAgm+1rCpuzx45QeV/MAwWJ6/o8PjHVPm9dQG5nXEPFJA0X4lNKGkRb5wwMsXRf6RC41vvhvbD6pFZ5TCrMX/IW2ym0hOm9Trswm6SlnyLsPtAYB4SdVJxuwqy8gqPpogCm+vgsobIcs4cVAeK3ZW4ikWnSNowXJFeqjQY7ZuO42Anzddn+dodVw923KfVKJTBDK4lDQp5QrWjukbYFK33AIE2vaeJ3mqkJxzmJ027L4w0gQeaUuxh9sOKgxG7xCkzkG0HbIMuIA9E6yBCHNSwj0daB3SRrbxIEMF7F0DI3Lw0dlS4SxJ9ucJoySD1pBENuVm7bgWcY+pL5iJlkKAbVJOEk3cGJ+37XgXDkQHsNF/mxNaIxZ2losxv8GQEuldAxjCXM2hGgOF+64ccxSdH4T/OZtAmAprcB377/tJMuOXrsjMknT77FShgtRfyIzX0cJTPvuvhnswcFj9gr/1REkTkz5XL4fQx8ik4MEbEN3jiDdZEwSW5wjKuuHIZhDt+AnTqHIQZq2SdJ9g2P/36UMzWKfweRe8i7yJ/FRyqVDn63mimyxb12ZB1CkNuNe64yEVsRQvZZpYVLVhzcJrG+nNZXnCne2rFLxl3jRG2y2dgcvl1hmxYGSEFSh1scVt+d0gUmfi0u2MxX0swBpzTFlMwx2hz6pFvnl7jMCeZSitQVRw0VSaaqGeH6ZQIyEKkk8myovbV/PWn3gqcMs5L8Grm6myluBbxuaH/F7xMQadleGSft6iE0/EXoNfLWwQqNj20uuPVmF/UIehUYApHoGpYujFPFKGEdjjCGcdRYpGtlmGmaCPfc4oWJ4GjeLI6VePVhRhM+iyb+zPv8V4SltDfqih/Txs6kfsnOQ0KpjnMSobLX70xV1tm/sxAtqAzJ5I4QtX8EQaWR/rb5VIikAxuQ8yJCii/RFcSd0ss4+4vhGlOHAT1t7+lH0bnTaiUWfm169l+B01JJO8Cz3muJVC/f+PIJUNP5VHgNDUeMDB35USCxnU/0bLlxEuYHtTMLqSabU/bv6YchKZFjSlFHGFXdAEDgQ2HYi9FY1F657dvNqrGO2AwHVdeX8RSiorRlNyeb80NqyASsx6MSWPDWYtVjpD7zHXVlWDLcMVkGwvX4RtJZF8wlXR/iEur8iC+v8g2w7iG2hZD1TFmkJsn/ira4UYLzPxYNAzl4BH5sB5BUJ8GCZrHwV8dny/FTQAwtYNq7TwnAi+2dwhWF7DgX0T6fVD/utyLK19+Aash6h4TX8Y1U345l4r+ADfUfQ3d/B0m6wFEgSD60kOv6wnnYbJEbFAZ2BZEwhzeyEacQjxHceyQg256GiCvRDHX4jonyZm3Vu6kCUNWYaRCKQJY5OyL9zRF9pFsCqqkNEfvDqmjPUjXcO/xarkjjdQz4y4gsPqovhtVi0GuExxhfT1KcJk6uzS1NiX0yBi/s22cI4WLmO/QNHXeUoi0Lbw/XUwj6krNMYrvqofUOqM5tK7BpmplxzMFJeB+mhDXLfpyWAS7Yq1RfHLmnA0OBYu7MQ3UB/zZ7zGcpnAT42MlQ20M7bXCpEBaAaPzlXky9bogNEVkwoOMtVHYzQnucTAKRYzb1PnlA+GMBQpxL27IAn2EbwXNLRwSVh0lgRQFb/94J4TV09CeR5hkKMi5WaCFy50utlLL4gHDg11oNGbu0vseB1AmxzbRExW5qJ87a0A0/ECLOoo2vlgnMJECB6MYNe2na1aTOiOUpI8rArj2fUjVjAlNrUpFWIug2C+b2/I43K8Sg4Tc3ZHcrywHQ4xt2IQeeysUP8C9lHEQW2q4sF7iMujSD1Kzu8bYyCzW2AJuTJCj5psbwlag4ezwmgXpJGsC+yLrCuA/BHzrUDadoBuofNQq7tFKTGDWlN+IfkI0PY5sxMVSbm/5NSWBR060QLDq6XdKOYnzR4oI3mm1NXY4+OrVEJBXqD6zAa7ECLKo+sHBt9uL4CfEfLVNhAi2bmfauPzBZ3NiNeqoneoU16AjGNHiADLyrdRQHmWLzm1xnVmCjtpn3hPnF4AwPYKSf2ALkqHR0UpMWCzRztJGLuRG1EUpD39DgbJOQujyNLU/2g+YdZbixeD6oJ5j+l0gG7+CaumkHGsj2uhEpV1Hq8TKHV/O8I3LkF634Zu7NGaX5xP+8cOYfk3Kqm/V/u2AmMKOCU3AXHK43KhIZvEZYhTRfkICFCbdYE5co6zcvQ6Irn+wSlc5J0ozSrm0fQcFdQAMbf0odwe5VoMb66m6EngoL/VAYRJZtrmPBKUZLELRIcOXv/Nvz4oiEw+NV5u5MyKKJA2Tb6FxOPZdAf339oMCMmN/sUA9fBJ6dvzuDkVNCH5qZzlKWVq/DkZZr3TGA3cbU9FKLNKPrBpBaCdCtrjbaw2YB3HWAky/Qcmx97dRRZGcn7HvMtRnZfBbbFxYVGtgoGcaVZYyz/J4zuibpZcxdNLhu4jeJpMkX4,iv:PWdVLhu0BPx7sXMzow9wl+cqDXD2Y5J5lfVSX3tNCMg=,tag:P4vHogedMdAUeIh4XHlmdw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHWkRuWXdaQ1RUbkF1d2p0
elZkbnFVSW9tVjdqSHFvbjFiL202cW1tWjJ3ClpDUEFIMDFteFA1QTdTVmtVWHI0
OFRuU1Fockh4aTBwa3l3ZjdiMFFYSm8KLS0tIGdCZjZNVXNVZWV3ZlJzY3ZyZXhr
WFp1eVZna1VWUUZuTVY4Q2h2c0Y2ZDAKcglSV3UBoZ65+SsM+zRFJmjIH61jXbT0
rpeJ8/0i4THmVpbZY+NOIh2zECmzBkAA06jv0jMoftL40h2wsdgncg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBna282T2hYcDl4UWFISDVL
eE42MjVxZndUVEU5bjJwUzdHU2xHNXVNRW13CmZwUmdCWDFNVmdDbktwOXBIbzNZ
eGgrZHQwMEdRSG11aWpoSllrcjBBY2cKLS0tIFBZRUdYVUhsbFZYV0w5T3RYc0Ez
RDJZcjA4VFNadEZCUmpOVWRBdGNKMzQKhhQCbeRxDvhFVsF3G+OoXo4i+koqqgrV
o/esYoxA1ZNsS9mhFbfMw1C2YO43iPtaWChAO5zUABDALD6dJ1Rf1A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ZUJuMnNwTGpSdVA4UXV5
bkdGTWJsRjliMGJWcXBKekc3WDZiN0FWV0MwCmZIVld4M0xaWWhmUDVqSGcwbGpz
S0kzQy9scDRObS82WkMzYUw2dVBaWXMKLS0tIGpkeFZqdXIrY0lFdUgwekNJeDN4
eFhnWGdoTzdyZmtjZDJBc3FveTRaN0EKBj2hSr6qDxwW+k5hox47P5uyoHQAzCjH
+TplhMUd5p8/ud3U4lixLezGu1qftVSKtz/4SAXrSC5DYZJF1w7tDQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-17T01:43:14Z"
mac: ENC[AES256_GCM,data:zcCKk+VAddbb4vZltdC6hKPAnoo4rvcLcmIsKATQekbVo9OUk5Q5JnxglgAxXyj/YMZ7tIY/IXoWdSW4Kw673vthVnWpGLnuHtXJFGslkQ+GEkIt0z/oepr33gXErsEolZ3rIx02CVsIK5tb38ol0DhAe+6dUihsi23HruMJNog=,iv:2RVGRBTgqR9YLrRpoxuN72NOcXvRlZVTaPNiU7l75w0=,tag:lr4/sBBE9F27II289OWUNQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

114
hosts/web-arm/modules/bitwarden/default.nix Normal file
View File

@@ -0,0 +1,114 @@
{
pkgs,
config,
...
}: let
ldapConfig = {
vaultwarden_url = "https://bitwarden.cloonar.com";
vaultwarden_admin_token = "@ADMIN_TOKEN@";
ldap_host = "ldap.cloonar.com";
ldap_ssl = true;
ldap_bind_dn = "cn=bitwarden,ou=system,ou=users,dc=cloonar,dc=com";
ldap_bind_password = "@LDAP_PASSWORD@";
ldap_search_base_dn = "ou=users,dc=cloonar,dc=com";
ldap_search_filter = "(&(objectClass=cloonarUser))";
ldap_sync_interval_seconds = 3600;
};
ldapConfigFile =
pkgs.runCommand "config.toml"
{
buildInputs = [pkgs.remarshal];
preferLocalBuild = true;
} ''
remarshal -if json -of toml \
< ${pkgs.writeText "config.json" (builtins.toJSON ldapConfig)} \
> $out
'';
in {
imports = [
../../utils/modules/nur.nix
];
environment.systemPackages = with pkgs; [
nur.repos.mic92.vaultwarden_ldap
];
services.vaultwarden = {
enable = true;
dbBackend = "mysql";
config = {
domain = "https://bitwarden.cloonar.com";
signupsAllowed = false;
rocketPort = 3011;
enableDbWal = "false";
websocketEnabled = true;
smtpHost = "mail.cloonar.com";
smtpFrom = "bitwarden@cloonar.com";
smtpUsername = "bitwarden@cloonar.com";
};
};
systemd.services.vaultwarden.serviceConfig = {
EnvironmentFile = [config.sops.secrets.bitwarden-smtp-password.path];
};
systemd.services.vaultwarden_ldap = {
wantedBy = ["multi-user.target"];
preStart = ''
sed \
-e "s=@LDAP_PASSWORD@=$(<${config.sops.secrets.bitwarden-ldap-password.path})=" \
-e "s=@ADMIN_TOKEN@=$(<${config.sops.secrets.bitwarden-admin-token.path})=" \
${ldapConfigFile} \
> /run/vaultwarden_ldap/config.toml
'';
serviceConfig = {
Restart = "on-failure";
RestartSec = "2s";
ExecStart = "${pkgs.nur.repos.mic92.vaultwarden_ldap}/bin/vaultwarden_ldap";
Environment = "CONFIG_PATH=/run/vaultwarden_ldap/config.toml";
RuntimeDirectory = ["vaultwarden_ldap"];
User = "vaultwarden_ldap";
};
};
services.nginx.virtualHosts."bitwarden.cloonar.com" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
extraConfig = ''
client_max_body_size 128M;
'';
locations."/" = {
proxyPass = "http://localhost:3011";
proxyWebsockets = true;
};
locations."/notifications/hub" = {
proxyPass = "http://localhost:3012";
proxyWebsockets = true;
};
locations."/notifications/hub/negotiate" = {
proxyPass = "http://localhost:3011";
proxyWebsockets = true;
};
};
sops.secrets = {
bitwarden-admin-token.owner = "vaultwarden_ldap";
bitwarden-ldap-password.owner = "vaultwarden_ldap";
bitwarden-db-password.owner = "vaultwarden";
bitwarden-smtp-password.owner = "vaultwarden";
};
users.users.vaultwarden_ldap = {
isSystemUser = true;
group = "vaultwarden_ldap";
};
users.groups.vaultwarden_ldap = {};
services.mysqlBackup.databases = [ "bitwarden" ];
}

42
hosts/web-arm/modules/bitwarden/secrets.yaml Normal file
View File

@@ -0,0 +1,42 @@
bitwarden-admin-token: ENC[AES256_GCM,data:nCj7kwQHTwezG3hh5J+c2MmUXwlGpdNjeh4A4SK/wgdBroAAghMSTuT6B7sjPgX5PmyBpzspdI3XqVUoBHzL6g==,iv:11C/ScaTqI1VlBSd71TA2cZNAu/wSbOs6rnDTlKlPsI=,tag:8eD0VkJn/KZ49yMe4D/MrA==,type:str]
bitwarden-db-password: ENC[AES256_GCM,data:4l3ntOHX4pdiUzfSqOwzObgMRp9eS5fjze6rJu1h3kKr/g/lsESLWiIHUoguixaNmoPU2zy42jEDvhXII6R+1g==,iv:mEMGGGyWerJaAvo7ymNfkR1YgTG1ieB3n40BB6L+UM4=,tag:iRd88BjFMMht9Ku9K34SXQ==,type:str]
bitwarden-ldap-password: ENC[AES256_GCM,data:g6tp0NzXk3ZJTGKHSzFxVZs4DhauzPS6SGW99WFX/CO0Wprgp9lh/evI6T56g2YhIv/3jqNSmi+p1FwdOzValw==,iv:mHMlhJx2aKLLkrPy+Z+/6plS/uMiK+xhYk/PF5m7+wQ=,tag:BgRNstiVnN95/pSX0DYfSw==,type:str]
bitwarden-smtp-password: ENC[AES256_GCM,data:4ruP8yMeTG5A19Oyvv2MBTj2LwecwwYc8BBU1xDT2i757orCNrQHJd0VLtzynluS9ge4vAU7G8islKwR/IIDGsEq74//CxJIyXyH9XLBfc5Jb2Rs1uz/Nz2uCWOCqm1AZ2/8uxXOPPNVhKcs3wxOLbLnA3Yzh+VFKsKIO753FkKllpFbeZanhfD2/N4fAGU4C5F+0HcrLBLBGC3X/CfQyPUSio1uwWPxRJR94DlRdPq+ir4YXHW48Mw/33lJZ+HqApk1Nf+gmTff7XTib1d44ac4JR8m20D8qOQ2Y9vfqJOxD7/PdgeqRLXN3K1PaSDE7JkWoiE0dM3vJ0q+Pqf47tm/xT4qaJvqI0jLXMwqmUg=,iv:TiZrLMPx9UbUf/4zKmRWTERM8phtyTX7Q3dCFqn+Ew4=,tag:55tuxMBWu6WpT4BllKV+pA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTVzQvK0VkUzh2MDhzSm5Z
TWlYVHNQQk9sbTkxT2JtUVFTQ01xam1FSFJBCjh3QUN1VGhCakJlR3QrZCtkdWpk
RGtGbEM0c2xUTlJiWktrczA0eVlFMm8KLS0tIFNnM0JpcHNrdFBadkpLZTZaY3VQ
ckYzWldIN01TZ3dKYmhIU1ZqK3NGWE0KvVTpNRg7RN0jKBDEDf0U+52I17+A3Gkl
1VGxCmO87cBPcxmfnxoAdpabqCV9l784YHkQsW3Z0gicr0392m78Rw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSdURKWGg1dFk2MEFzVS9q
NkNReXU3RkNHaUUvZ0RMTXNVbkI5bDBwbHdzCjY2Rm1PMitteVBZQW1xMGxYMlFH
djJLSGtFUElsaTBETk5EZzgzMGh2TmMKLS0tIENJUUlWTmhMT1dlVWRpdmYwQnFi
cW02R1F0M2djcExEeVRUalp4cnRzY28KoFN3BS4C/xqoHeD3Is0AfRJlWRJQ/i5z
rFV9USYsD23M+tdirbVgCfaSBl5RZXB4SpNFiG3QjhmQ04JuIxuHQg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0b1pReWNGenpEZ1RtVkZz
dGIrQ1NYdzdlNTNacXFkNkY4eUVSUzJ4NjNnCmYxdlFYRm9VYlRnRS9GU28xSita
cVNadTBBNmF0TjkwZnhPdHVvUWVhdXMKLS0tIGJ0MS9qOXJhVEtoSUd2TWtCUmFq
dGxUQ1RmVkhXZDVRMGx5dUFDZUlTMkEKHwwCPamlcJoiJGIOVtLdcftMm3D5DgN/
yijIfsBySzUfU1dfFp6GMpazL+81L4+8AEp3ZW7z2BBwwE7tm1yVzg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-01-28T21:53:06Z"
mac: ENC[AES256_GCM,data:jZq4UzkxyX/UhrmeKO7sFQpTlMB13lyi5/duXA0s2XX3W0U9g+TSZm21WiRGPjKmteJg0w2OhFsNk/y0uvD/oPE1ttLz/YRgiinuCoyufoX51AgQqS0KFxNBkTaDzoaKk3z1j8nEhAY2U0YS4fpOCNAkMsKdVZeTVOitcp/UeIE=,iv:5EzYCqUZri1VmD9wqQGxpypZe4F2h8W3D8a7mYbBBrg=,tag:iEFJBFmRJVw4YP5/V+21dQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

66
hosts/web-arm/modules/collabora.nix Normal file
View File

@@ -0,0 +1,66 @@
{ config, ... }:
{
#Collabora Containers
virtualisation.oci-containers.containers.collabora = {
image = "docker.io/collabora/code:latest";
ports = [ "9980:9980/tcp" ];
environment = {
server_name = "code.cloonar.com";
aliasgroup1 = "https://cloud.cloonar.com:443";
dictionaries = "en_US";
extra_params = "--o:ssl.enable=false --o:ssl.termination=true";
};
extraOptions = [
"--pull=newer"
];
};
services.nginx.virtualHosts.${config.virtualisation.oci-containers.containers.collabora.environment.server_name} = {
enableACME = true;
forceSSL = true;
extraConfig = ''
# static files
location ^~ /browser {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# WOPI discovery URL
location ^~ /hosting/discovery {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# Capabilities
location ^~ /hosting/capabilities {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# main websocket
location ~ ^/cool/(.*)/ws$ {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
# download, presentation and image upload
location ~ ^/(c|l)ool {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Host $host;
}
# Admin Console websocket
location ^~ /cool/adminws {
proxy_pass http://127.0.0.1:9980;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_set_header Host $host;
proxy_read_timeout 36000s;
}
'';
};
}

107
hosts/web-arm/modules/grafana.nix Normal file
View File

@@ -0,0 +1,107 @@
{ lib, pkgs, config, ...}:
let
ldap = pkgs.writeTextFile {
name = "ldap.toml";
text = ''
[[servers]]
host = "ldap.cloonar.com"
port = 636
use_ssl = true
bind_dn = "cn=grafana,ou=system,ou=users,dc=cloonar,dc=com"
bind_password = "$__file{/run/secrets/grafana-ldap-password}"
search_filter = "(&(objectClass=cloonarUser)(mail=%s))"
search_base_dns = ["ou=users,dc=cloonar,dc=com"]
[servers.attributes]
name = "givenName"
surname = "sn"
username = "uid"
email = "mail"
member_of = "memberOf"
[[servers.group_mappings]]
group_dn = "cn=Administrators,ou=groups,dc=cloonar,dc=com"
org_role = "Admin"
grafana_admin = true # Available in Grafana v5.3 and above
'';
};
in
{
systemd.services.grafana.script = lib.mkBefore "export GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET=$(cat /run/secrets/grafana-oauth-secret)";
services.grafana = {
enable = true;
settings = {
analytics.reporting_enabled = false;
# "auth.ldap".enabled = true;
# "auth.ldap".config_file = toString ldap;
"auth.generic_oauth" = {
enabled = true;
name = "Authelia";
icon = "signin";
client_id = "grafana";
scopes = "openid profile email groups";
empty_scopes = false;
auth_url = "https://auth.cloonar.com/api/oidc/authorization";
token_url = "https://auth.cloonar.com/api/oidc/token";
api_url = "https://auth.cloonar.com/api/oidc/userinfo";
login_attribute_path = "preferred_username";
groups_attribute_path = "groups";
name_attribute_path = "name";
use_pkce = true;
};
"auth.anonymous".enabled = true;
"auth.anonymous".org_name = "Cloonar e.U.";
"auth.anonymous".org_role = "Viewer";
server = {
root_url = "https://grafana.cloonar.com";
domain = "grafana.cloonar.com";
enforce_domain = true;
enable_gzip = true;
http_addr = "0.0.0.0";
http_port = 3001;
};
smtp = {
enabled = true;
host = "mail.cloonar.com:587";
user = "grafana@cloonar.com";
password = "$__file{${config.sops.secrets.grafana-ldap-password.path}}";
fromAddress = "grafana@cloonar.com";
};
database = {
type = "postgres";
name = "grafana";
host = "/run/postgresql";
user = "grafana";
};
security.admin_password = "$__file{${config.sops.secrets.grafana-admin-password.path}}";
};
};
services.nginx.virtualHosts."grafana.cloonar.com" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/".extraConfig = "proxy_pass http://localhost:3001;";
};
services.postgresql.ensureUsers = [
{
name = "grafana";
ensureDBOwnership = true;
}
];
services.postgresql.ensureDatabases = [ "grafana" ];
services.postgresqlBackup.databases = [ "grafana" ];
sops.secrets = {
grafana-admin-password.owner = "grafana";
grafana-ldap-password.owner = "grafana";
grafana-oauth-secret.owner = "grafana";
};
}

151
hosts/web-arm/modules/loki.nix Normal file
View File

@@ -0,0 +1,151 @@
{ config, pkgs, ... }:
let
rulerConfig = {
groups = [
{
name = "general";
rules = [
{
alert = "Coredumps";
# filter out failed build gitlab CI runner, users or nix build sandboxes
expr = ''sum by (host) (count_over_time({unit=~"systemd-coredump.*"} !~ "(/runner/_work|/home|/build|/scratch)" |~ "core dumped"[10m])) > 0'';
for = "10s";
annotations.description = ''{{ $labels.instance }} {{ $labels.coredump_unit }} core dumped in last 10min.'';
}
];
}
];
};
rulerDir = pkgs.writeTextDir "ruler/ruler.yml" (builtins.toJSON rulerConfig);
in
{
systemd.tmpfiles.rules = [
"d /var/lib/loki 0700 loki loki - -"
"d /var/lib/loki/ruler 0700 loki loki - -"
];
services.loki = {
enable = true;
configuration = {
# Basic stuff
auth_enabled = false;
server = {
http_listen_port = 3100;
log_level = "warn";
};
# Distributor
distributor.ring.kvstore.store = "inmemory";
# Ingester
ingester = {
lifecycler.address = "0.0.0.0";
lifecycler.ring = {
kvstore.store = "inmemory";
replication_factor = 1;
};
chunk_encoding = "snappy";
# Disable block transfers on shutdown
};
# Storage
storage_config = {
boltdb.directory = "/var/lib/loki/boltdb";
boltdb_shipper = {
active_index_directory = "/var/lib/loki/index";
cache_location = "/var/lib/loki/boltdb-cache";
};
tsdb_shipper = {
active_index_directory = "/var/lib/loki/tsdb-index";
cache_location = "/var/lib/loki/tsdb-cache";
};
filesystem.directory = "/var/lib/loki/storage";
};
limits_config.retention_period = "48h";
# Table manager
table_manager = {
retention_deletes_enabled = true;
retention_period = "48h";
};
compactor = {
retention_enabled = true;
compaction_interval = "10m";
working_directory = "/var/lib/loki/compactor";
retention_delete_delay = "2h";
retention_delete_worker_count = 150;
delete_request_store = "filesystem";
};
# Schema
schema_config.configs = [
{
from = "2020-11-08";
store = "boltdb-shipper";
object_store = "filesystem";
schema = "v13";
index.prefix = "index_";
index.period = "24h";
}
{
from = "2024-04-01";
store = "tsdb";
object_store = "filesystem";
schema = "v13";
index.prefix = "index_";
index.period = "24h";
}
];
limits_config.ingestion_burst_size_mb = 16;
# ruler = {
# storage = {
# type = "local";
# local.directory = rulerDir;
# };
# rule_path = "/var/lib/loki/ruler";
# alertmanager_url = "http://alertmanager.cloonar.com";
# ring.kvstore.store = "inmemory";
# };
query_range.cache_results = true;
query_range.parallelise_shardable_queries = false;
limits_config.split_queries_by_interval = "24h";
};
};
sops.secrets.promtail-nginx-password.owner = "nginx";
services.nginx.virtualHosts."loki.cloonar.com" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/" = {
proxyWebsockets = true;
extraConfig = ''
auth_basic "Loki password";
auth_basic_user_file ${config.sops.secrets.promtail-nginx-password.path};
proxy_read_timeout 1800s;
proxy_redirect off;
proxy_connect_timeout 1600s;
access_log off;
proxy_pass http://127.0.0.1:3100;
'';
};
locations."/ready" = {
proxyWebsockets = true;
extraConfig = ''
auth_basic off;
access_log off;
proxy_pass http://127.0.0.1:3100;
'';
};
};
}

78
hosts/web-arm/modules/mysql.nix Normal file
View File

@@ -0,0 +1,78 @@
{ pkgs, ... }:
let
mysqlCreateDatabase = pkgs.writeShellScriptBin "mysql-create-database" ''
#!/usr/bin/env bash
if [ $# -lt 2 ]
then
echo "Usage: $0 <database> <host>"
exit 1
fi
if ! [ $EUID -eq 0 ]
then
echo "Must be root!" >&2
exit 1
fi
DB="$1"
HOST="$2"
PASSWORD="$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 64 | xargs)"
cat <<EOF | mysql --host localhost --user root
create database $DB;
grant usage on $DB.* to '$DB'@'$HOST' identified by '$PASSWORD';
grant all privileges on $DB.* to '$DB'@'$HOST';
EOF
echo
echo "Password for user $DB is:"
echo
echo $PASSWORD
echo
'';
mysqlDeleteDatabase = pkgs.writeShellScriptBin "mysql-delete-database" ''
#!/usr/bin/env bash
if [ $# -lt 1 ]
then
echo "Usage: $0 <database>"
exit 1
fi
if ! [ $EUID -eq 0 ]
then
echo "Must be root!" >&2
exit 1
fi
DB="$1"
PASSWORD="$(tr -dc A-Za-z0-9 < /dev/urandom | head -c 64 | xargs)"
cat <<EOF | mysql --host localhost --user root
drop database $DB;
drop user '$DB';
EOF
echo
echo "Dropped database $DB!"
echo
'';
in {
environment.systemPackages = [
mysqlCreateDatabase
mysqlDeleteDatabase
];
services.mysql = {
enable = true;
package = pkgs.mariadb;
settings = {
mysqld = {
max_allowed_packet = "64M";
};
};
};
services.mysqlBackup.enable = true;
services.mysqlBackup.databases = [ "mysql" ];
}

37
hosts/web-arm/modules/nextcloud/default.nix Normal file
View File

@@ -0,0 +1,37 @@
{ pkgs, config, ... }:
{
sops.secrets.nextcloud-adminpass.owner = "nextcloud";
services.nextcloud = {
enable = true;
hostName = "nextcloud.cloonar.com";
https = true;
package = pkgs.nextcloud27;
# Instead of using pkgs.nextcloud27Packages.apps,
# we'll reference the package version specified above
extraApps = with config.services.nextcloud.package.packages.apps; {
inherit contacts calendar tasks deck;
oidc_login = pkgs.fetchNextcloudApp rec {
url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v2.6.0/oidc_login.tar.gz";
sha256 = "sha256-MZ/Pgqrb8Y9aH1vd3BfuPhfLOmYyZQO2xVasdj+rCo4=";
};
};
extraAppsEnable = true;
database.createLocally = true;
enableBrokenCiphersForSSE = false;
config = {
adminpassFile = config.sops.secrets.nextcloud-adminpass.path;
dbtype = "mysql";
};
};
services.nginx.virtualHosts.${config.services.nextcloud.hostName} = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
};
services.mysqlBackup.databases = [ "nextcloud" ];
}

39
hosts/web-arm/modules/nextcloud/secrets.yaml Normal file
View File

@@ -0,0 +1,39 @@
nextcloud-adminpass: ENC[AES256_GCM,data:WJA7+5XqLK2eYefCviHqvHwqYPy9yfN+/3j5RTF0edrw41oB/wC5JWYejK2FzMkjkXZM0BUQ6waE3PCal3Ebqvzt/ZyC8Pwm8Z+PuMuXFx/6fQLJDxHALXH03GWAzNhUZpcZUYoNtu+uwaROg/4ZVNRu3IXxw+b2DWN65EaMO48=,iv:arkUgibmZQuaiCwYg6NBrMHZXUCLY2y/XiuVjB450ag=,tag:RH6r8nJPU24qq/EUC3jQ/A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0VmR4THNkUGpvVHB6WWtw
WkQ1dlc3R0FWaXpVZ29Sd2g1ZWJzYUFQWHdFCndkUWxqZEdIQlBnSDluN2NEWmZG
VndCbXlqV3p0ZnYwcFhjeGZVa09xcW8KLS0tIHVnc2RPWTF1b2NvWVp3OEFwVDZk
V0FWOXhSbXQyd0JmVEVpdG9IeXlsQ1UKFxGluq+uOgkA7UUa6/4ZErEPRgQQ5cXS
PdB5Et5f02RWBRAUtGEE0UrLiINlIFvFAIr3PKctNVc8/Ovf/jGojg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0RnRPK0Y4ekRiYS9xdGs0
ZE5oT1FIWmlySERMbDAyQXlHNDJnQ2Q2dkVvCjNQSGlyQXlzUXAzV0wrNHppUFY4
a3k4Y2VtQ1Z4UjVqcnQ4MXhjSzJoM0UKLS0tIHBORnVoSHlJVnpjcmdZVTA1NHhF
dHVTWnpXTnNNc0l1M3J6enFBdUwwNWcK80nKzyIrrKaEa0naFsnuie+732hMZQUg
IAU9V7/bZiDItTUVdATDjjNBiXnMgDB73SqHhuyIDD+VhDkVUBhjWw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVdDduRUZOS2VEUldmRFRS
QUVxeUVWRERSQ2ZkdnV1ekw4SVVFSzZvUFN3CkQrRnBQQzlnL2xtcFpVd0xiQmda
NFZnQmhxcm1xUnVZY3l2eHp6Sjl4a0UKLS0tIG1maDNiRW44VmJDSlk2eWRQcHB2
ZHpwQURoNGhuOWJPUkFpc0RSaHFBM0UKW4lMlcxC5+Hpm6DO3wwco41kJsfuWP33
+2qhmnwt8mXWxAVxNreQQ0YQDliBnQR3uUny7hWyfrIkeQzOBLBrOw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-18T17:47:34Z"
mac: ENC[AES256_GCM,data:bm/lHsobqvZSzk9crPmf8vc2idN3h/HOpQab7n7N6vtEY0QpMTv+6K7YERBD7T9oIxSNtcLNOcw6Rr2w9Cd1cq+W0azPA2dxd6/crq6rbhAgld/MipemP+YfdENxRrdyastk7P3FWyHZzhKlhem/ft0lpeiJg5NWRjA8IkLSDZc=,iv:W4cYC/e1CO5nsLx5yOaH0vGJ7fAx5bAH9acJShciHcI=,tag:whYqwogQMPPklHqoyhuL8g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

9
hosts/web-arm/modules/postgresql.nix Normal file
View File

@@ -0,0 +1,9 @@
{ pkgs, ... }: {
services.postgresql.enable = true;
services.postgresql.package = pkgs.postgresql_14;
services.postgresql.settings = {
max_connections = "300";
shared_buffers = "80MB";
};
services.postgresqlBackup.enable = true;
}

306
hosts/web-arm/modules/prometheus.nix Normal file
View File

@@ -0,0 +1,306 @@
{ config, ... }:
{
sops.secrets.alertmanager = { };
sops.secrets.hass-token.owner = "prometheus";
# imports = [
# ./matrix-alertmanager.nix
# ./irc-alertmanager.nix
# ./rules.nix
# ];
services.prometheus = {
webExternalUrl = "https://prometheus.cloonar.com";
alertmanagers = [
{
static_configs = [
{
targets = [ "localhost:9093" ];
}
];
}
];
rules = [
''
ALERT node_down
IF up == 0
FOR 5m
LABELS {
severity="page"
}
ANNOTATIONS {
summary = "{{$labels.alias}}: Node is down.",
description = "{{$labels.alias}} has been down for more than 5 minutes."
}
ALERT node_systemd_service_failed
IF node_systemd_unit_state{state="failed"} == 1
FOR 4m
LABELS {
severity="page"
}
ANNOTATIONS {
summary = "{{$labels.alias}}: Service {{$labels.name}} failed to start.",
description = "{{$labels.alias}} failed to (re)start service {{$labels.name}}."
}
ALERT node_filesystem_full_90percent
IF sort(node_filesystem_free{device!="ramfs"} < node_filesystem_size{device!="ramfs"} * 0.1) / 1024^3
FOR 5m
LABELS {
severity="page"
}
ANNOTATIONS {
summary = "{{$labels.alias}}: Filesystem is running out of space soon.",
description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} got less than 10% space left on its filesystem."
}
ALERT node_filesystem_full_in_4h
IF predict_linear(node_filesystem_free{device!="ramfs"}[1h], 4*3600) <= 0
FOR 5m
LABELS {
severity="page"
}
ANNOTATIONS {
summary = "{{$labels.alias}}: Filesystem is running out of space in 4 hours.",
description = "{{$labels.alias}} device {{$labels.device}} on {{$labels.mountpoint}} is running out of space of in approx. 4 hours"
}
ALERT node_filedescriptors_full_in_3h
IF predict_linear(node_filefd_allocated[1h], 3*3600) >= node_filefd_maximum
FOR 20m
LABELS {
severity="page"
}
ANNOTATIONS {
summary = "{{$labels.alias}} is running out of available file descriptors in 3 hours.",
description = "{{$labels.alias}} is running out of available file descriptors in approx. 3 hours"
}
ALERT node_load1_90percent
IF node_load1 / on(alias) count(node_cpu{mode="system"}) by (alias) >= 0.9
FOR 1h
LABELS {
severity="page"
}
ANNOTATIONS {
summary = "{{$labels.alias}}: Running on high load.",
description = "{{$labels.alias}} is running with > 90% total load for at least 1h."
}
ALERT node_cpu_util_90percent
IF 100 - (avg by (alias) (irate(node_cpu{mode="idle"}[5m])) * 100) >= 90
FOR 1h
LABELS {
severity="page"
}
ANNOTATIONS {
summary = "{{$labels.alias}}: High CPU utilization.",
description = "{{$labels.alias}} has total CPU utilization over 90% for at least 1h."
}
ALERT node_ram_using_90percent
IF node_memory_MemFree + node_memory_Buffers + node_memory_Cached < node_memory_MemTotal * 0.1
FOR 30m
LABELS {
severity="page"
}
ANNOTATIONS {
summary="{{$labels.alias}}: Using lots of RAM.",
description="{{$labels.alias}} is using at least 90% of its RAM for at least 30 minutes now.",
}
ALERT node_swap_using_80percent
IF node_memory_SwapTotal - (node_memory_SwapFree + node_memory_SwapCached) > node_memory_SwapTotal * 0.8
FOR 10m
LABELS {
severity="page"
}
ANNOTATIONS {
summary="{{$labels.alias}}: Running out of swap soon.",
description="{{$labels.alias}} is using 80% of its swap space for at least 10 minutes now."
}
ALERT homeassistant = {
IF homeassistant_entity_available{domain="persistent_notification", entity!~"persistent_notification.http_login|persistent_notification.recorder_database_migration"} >= 0
ANNOTATIONS {
description="homeassistant notification {{$labels.entity}} ({{$labels.friendly_name}}): {{$value}}"
}
ALERT gitea
IF rate(promhttp_metric_handler_requests_total{job="gitea", code="500"}[5m]) > 3
ANNOTATIONS {
description="{{$labels.instance}}: gitea instances error rate went up: {{$value}} errors in 5 minutes"
}
''
];
scrapeConfigs = [
{
job_name = "telegraf";
scrape_interval = "60s";
metrics_path = "/metrics";
static_configs = [
{
targets = [
"web-01.cloonar.com:9273"
];
labels.host = "web-01.cloonar.com";
}
{
targets = [
"mail.cloonar.com:9273"
];
labels.host = "mail.cloonar.com";
}
{
targets = [
"git.cloonar.com:9273"
];
labels.host = "git.cloonar.com";
}
{
targets = [
"home-assistant.cloonar.com:9273"
];
labels.host = "home-assistant.cloonar.com";
}
{
targets = map (host: "${host}.cloonar.com:9273") [
"web-01"
"mail"
"git"
"home-assistant"
];
labels.org = "cloonar";
}
];
}
{
job_name = "homeassistant";
scrape_interval = "60s";
metrics_path = "/api/prometheus";
authorization.credentials_file = config.sops.secrets.hass-token.path;
scheme = "https";
static_configs = [
{
targets = [
"home-assistant.cloonar.com:443"
];
}
];
}
{
job_name = "gitea";
scrape_interval = "60s";
metrics_path = "/metrics";
scheme = "https";
static_configs = [
{
targets = [
"git.cloonar.com:443"
];
}
];
}
];
};
# services.prometheus.alertmanager = {
# enable = true;
# environmentFile = config.sops.secrets.alertmanager.path;
# webExternalUrl = "https://alertmanager.cloonar.com";
# listenAddress = "[::1]";
# configuration = {
# global = {
# # The smarthost and SMTP sender used for mail notifications.
# smtp_smarthost = "mail.cloonar.com:587";
# smtp_from = "alertmanager@cloonar.com";
# smtp_auth_username = "alertmanager@cloonar.com";
# smtp_auth_password = "$SMTP_PASSWORD";
# };
# route = {
# receiver = "default";
# routes = [
# {
# group_by = [ "host" ];
# match_re.org = "krebs";
# group_wait = "5m";
# group_interval = "5m";
# repeat_interval = "4h";
# receiver = "krebs";
# }
# {
# group_by = [ "host" ];
# match_re.org = "nix-community";
# group_wait = "5m";
# group_interval = "5m";
# repeat_interval = "4h";
# receiver = "nix-community";
# }
# {
# group_by = [ "host" ];
# match_re.org = "clan-lol";
# group_wait = "5m";
# group_interval = "5m";
# repeat_interval = "4h";
# receiver = "clan-lol";
# }
# {
# group_by = [ "host" ];
# group_wait = "30s";
# group_interval = "2m";
# repeat_interval = "2h";
# receiver = "all";
# }
# ];
# };
# receivers = [
# {
# name = "krebs";
# webhook_configs = [
# {
# url = "http://127.0.0.1:9223/";
# max_alerts = 5;
# }
# ];
# }
# #{
# # name = "numtide";
# # slack_configs = [
# # {
# # token = "$SLACK_TOKEN";
# # api_url = "https://";
# # }
# # ];
# #}
# {
# name = "nix-community";
# webhook_configs = [
# {
# url = "http://localhost:9088/alert";
# max_alerts = 5;
# }
# ];
# }
# {
# name = "clan-lol";
# webhook_configs = [
# # TODO
# #{
# # url = "http://localhost:4050/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U";
# # max_alerts = 5;
# #}
# ];
# }
# {
# name = "all";
# pushover_configs = [
# {
# user_key = "$PUSHOVER_USER_KEY";
# token = "$PUSHOVER_TOKEN";
# priority = "0";
# }
# ];
# }
# {
# name = "default";
# }
# ];
# };
# };
}

39
hosts/web-arm/modules/rustdesk.nix Normal file
View File

@@ -0,0 +1,39 @@
{ config, pkgs, ... }:
{
virtualisation = {
podman.enable = true;
oci-containers.containers = {
rustdesk-server = {
image = "rustdesk/rustdesk-server-s6:1";
volumes = [ "/var/lib/rustdesk-server:/data" ];
environment = {
RELAY = "rustdesk.cloonar.com:21117";
};
ports = [
"21115:21115"
"21116:21116"
"21116:21116/udp"
"21118:21118"
"21117:21117"
"21119:21119"
];
};
};
};
users.users.rustdesk-server = {
isSystemUser = true;
group = "rustdesk-server";
home = "/var/lib/rustdesk-server";
createHome = true;
};
users.groups.rustdesk-server = { };
users.groups.docker.members = [ "rustdesk-server" ];
networking.firewall = {
enable = true;
allowedTCPPorts = [ 5000 21115 21116 21117 21118 21119 ];
allowedUDPPorts = [ 21116 ];
};
}

43
hosts/web-arm/modules/victoriametrics.nix Normal file
View File

@@ -0,0 +1,43 @@
{ config, ... }:
let
configure_prom = builtins.toFile "prometheus.yml" ''
scrape_configs:
- job_name: '${config.networking.hostName}'
stream_parse: true
static_configs:
- targets:
- 127.0.0.1:9100
'';
in {
services.prometheus.exporters.node.enable = true;
sops.secrets.victoria-nginx-password.owner = "nginx";
services.victoriametrics = {
enable = true;
extraOptions = [
"-promscrape.config=${configure_prom}"
];
};
services.nginx.virtualHosts."victoria-server.cloonar.com" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
locations."/" = {
proxyWebsockets = true;
extraConfig = ''
auth_basic "Victoria password";
auth_basic_user_file ${config.sops.secrets.victoria-nginx-password.path};
proxy_read_timeout 1800s;
proxy_redirect off;
proxy_connect_timeout 1600s;
access_log off;
proxy_pass http://127.0.0.1:8428;
'';
};
};
}

328
hosts/web-arm/modules/web/stack.nix Normal file
View File

@@ -0,0 +1,328 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.webstack;
instanceOpts = { name, ... }:
{
options = {
user = mkOption {
type = types.nullOr types.str;
default = null;
description = lib.mdDoc ''
User of the typo3 instance. Defaults to attribute name in instances.
'';
example = "example.org";
};
domain = mkOption {
type = types.nullOr types.str;
default = null;
description = lib.mdDoc ''
Domain of the typo3 instance. Defaults to attribute name in instances.
'';
example = "example.org";
};
domainAliases = mkOption {
type = types.listOf types.str;
default = [];
example = [ "www.example.org" "example.org" ];
description = lib.mdDoc ''
Additional domains served by this typo3 instance.
'';
};
phpPackage = mkOption {
type = types.package;
example = literalExpression "pkgs.php";
description = lib.mdDoc ''
Which PHP package to use in this typo3 instance.
'';
};
phpOptions = mkOption {
type = types.lines;
default = "";
description = ''
"Options appended to the PHP configuration file {file}`php.ini` used for this PHP-FPM pool."
'';
};
enableMysql = mkEnableOption (lib.mdDoc "MySQL Database");
enableDefaultLocations = mkEnableOption (lib.mdDoc "Create default nginx location directives") // { default = true; };
authorizedKeys = mkOption {
type = types.listOf types.str;
default = null;
description = lib.mdDoc ''
Authorized keys for the typo3 instance ssh user.
'';
};
extraConfig = mkOption {
type = types.lines;
default = ''
if (!-e $request_filename) {
rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last;
}
'';
description = lib.mdDoc ''
These lines go to the end of the vhost verbatim.
'';
};
locations = mkOption {
type = types.attrsOf (types.submodule (import <nixpkgs/nixos/modules/services/web-servers/nginx/location-options.nix> {
inherit lib config;
}));
default = {};
example = literalExpression ''
{
"/" = {
proxyPass = "http://localhost:3000";
};
};
'';
description = lib.mdDoc "Declarative location config";
};
};
};
in
{
options.services.webstack = {
dataDir = mkOption {
type = types.path;
default = "/var/www";
description = lib.mdDoc ''
The data directory for MySQL.
::: {.note}
If left as the default value of `/var/www` this directory will automatically be created before the web
server starts, otherwise you are responsible for ensuring the directory exists with appropriate ownership and permissions.
:::
'';
};
instances = mkOption {
type = types.attrsOf (types.submodule instanceOpts);
default = {};
description = lib.mdDoc "Create vhosts for typo3";
example = literalExpression ''
{
"typo3.example.com" = {
domain = "example.com";
domainAliases = [ "www.example.com" ];
phpPackage = pkgs.php81;
authorizedKeys = [
"ssh-rsa AZA=="
];
};
};
'';
};
};
config = {
systemd.services = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
in
nameValuePair "phpfpm-${domain}" {
serviceConfig = {
ProtectHome = lib.mkForce "tmpfs";
BindPaths = "BindPaths=/var/www/${domain}:/var/www/${domain}";
};
}
) cfg.instances;
services.phpfpm.pools = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
nameValuePair domain {
user = user;
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 5;
"php_admin_value[error_log]" = "syslog";
"php_admin_value[max_execution_time]" = 240;
"php_admin_value[max_input_vars]" = 1500;
"access.log" = "/var/log/$pool.access.log";
};
phpOptions = instanceOpts.phpOptions;
phpPackage = instanceOpts.phpPackage;
phpEnv."PATH" = pkgs.lib.makeBinPath [ instanceOpts.phpPackage ];
}
) cfg.instances;
};
config.services.nginx.virtualHosts = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
nameValuePair domain {
forceSSL = true;
enableACME = true;
acmeRoot = null;
root = cfg.dataDir + "/" + domain + "/public";
locations = lib.mkMerge [
instanceOpts.locations
(mkIf instanceOpts.enableDefaultLocations {
"/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
# Cache.appcache, your document html and data
"~* \\.(?:manifest|appcache|html?|xml|json)$".extraConfig = ''
expires -1;
# access_log logs/static.log; # I don't usually include a static log
'';
"~* \\.(jpe?g|png)$".extraConfig = ''
set $red Z;
if ($http_accept ~* "webp") {
set $red A;
}
if (-f $document_root/webp/$request_uri.webp) {
set $red "''${red}B";
}
if ($red = "AB") {
add_header Vary Accept;
rewrite ^ /webp/$request_uri.webp;
}
'';
# Cache Media: images, icons, video, audio, HTC
"~* \\.(?:jpg|jpeg|gif|png|webp|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|woff2)$".extraConfig = ''
expires 1y;
access_log off;
add_header Cache-Control "public";
'';
# Feed
"~* \\.(?:rss|atom)$".extraConfig = ''
expires 1h;
add_header Cache-Control "public";
'';
# Cache CSS, Javascript, Images, Icons, Video, Audio, HTC, Fonts
"~* \\.(?:css|js|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|woff2)$".extraConfig = ''
expires 1y;
access_log off;
add_header Cache-Control "public";
'';
"/".extraConfig = ''
index index.php index.html;
try_files $uri $uri/ /index.php$is_args$args;
'';
})
{
"~ [^/]\\.php(/|$)".extraConfig = ''
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_buffer_size 32k;
fastcgi_buffers 8 16k;
fastcgi_connect_timeout 240s;
fastcgi_read_timeout 240s;
fastcgi_send_timeout 240s;
fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket};
fastcgi_index index.php;
'';
}
];
extraConfig = instanceOpts.extraConfig;
# locations = mapAttrs' (location: locationOpts:
# nameValuePair location locationOpts) instanceOpts.locations;
}
) cfg.instances;
config.users.users = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
nameValuePair user {
isNormalUser = true;
createHome = true;
home = "/var/www/" + domain;
homeMode= "770";
group = config.services.nginx.group;
openssh.authorizedKeys.keys = instanceOpts.authorizedKeys;
}
) cfg.instances;
config.users.groups = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in nameValuePair user {}) cfg.instances;
config.services.mysql.ensureUsers = mapAttrsToList (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
mkIf instanceOpts.enableMysql {
name = user;
ensurePermissions = {
"${user}.*" = "ALL PRIVILEGES";
};
}) cfg.instances;
config.services.mysql.ensureDatabases = mapAttrsToList (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
mkIf instanceOpts.enableMysql user
) cfg.instances;
config.services.mysqlBackup.databases = mapAttrsToList (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
mkIf instanceOpts.enableMysql user
) cfg.instances;
}

445
hosts/web-arm/modules/web/typo3.nix Normal file
View File

@@ -0,0 +1,445 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.services.typo3;
instanceOpts = { name, ... }:
{
options = {
user = mkOption {
type = types.nullOr types.str;
default = null;
description = lib.mdDoc ''
User of the typo3 instance. Defaults to attribute name in instances.
'';
example = "example.org";
};
domain = mkOption {
type = types.nullOr types.str;
default = null;
description = lib.mdDoc ''
Domain of the typo3 instance. Defaults to attribute name in instances.
'';
example = "example.org";
};
domainAliases = mkOption {
type = types.listOf types.str;
default = [];
example = [ "www.example.org" "example.org" ];
description = lib.mdDoc ''
Additional domains served by this typo3 instance.
'';
};
phpPackage = mkOption {
type = types.package;
example = literalExpression "pkgs.php";
description = lib.mdDoc ''
Which PHP package to use in this typo3 instance.
'';
};
authorizedKeys = mkOption {
type = types.listOf types.str;
default = null;
description = lib.mdDoc ''
Authorized keys for the typo3 instance ssh user.
'';
};
};
};
in
{
options.services.typo3 = {
dataDir = mkOption {
type = types.path;
default = "/var/www";
description = lib.mdDoc ''
The data directory for MySQL.
::: {.note}
If left as the default value of `/var/www` this directory will automatically be created before the web
server starts, otherwise you are responsible for ensuring the directory exists with appropriate ownership and permissions.
:::
'';
};
instances = mkOption {
type = types.attrsOf (types.submodule instanceOpts);
default = {};
description = lib.mdDoc "Create vhosts for typo3";
example = literalExpression ''
{
"typo3.example.com" = {
domain = "example.com";
domainAliases = [ "www.example.com" ];
phpPackage = pkgs.php82;
authorizedKeys = [
"ssh-rsa AZA=="
];
};
};
'';
};
};
config = {
# systemd.services = mapAttrs' (instance: instanceOpts:
# let
# domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
# in
# nameValuePair "phpfpm-${domain}" {
# serviceConfig = {
# ProtectHome = lib.mkForce "tmpfs";
# BindPaths = "BindPaths=/var/www/${domain}:/var/www/${domain}";
# };
# }
# ) cfg.instances;
systemd.timers = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
nameValuePair ("typo3-cron-" + domain) {
wantedBy = [ "timers.target" ];
timerConfig = {
OnCalendar = "05:00";
Unit = "typo3-cron-" + domain + ".service";
};
}
) cfg.instances;
systemd.services = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
nameValuePair ("typo3-cron-" + domain) {
script = ''
set -eu
${instanceOpts.phpPackage}/bin/php /var/www/${domain}/.Build/bin/typo3 scheduler:run
${instanceOpts.phpPackage}/bin/php /var/www/${domain}/.Build/bin/typo3 ke_search:indexing
'';
serviceConfig = {
Type = "oneshot";
User = user;
};
}
) cfg.instances;
services.phpfpm.pools = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
nameValuePair domain {
user = user;
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 5;
"php_admin_value[error_log]" = "syslog";
"php_admin_value[max_execution_time]" = 240;
"php_admin_value[max_input_vars]" = 1500;
"php_admin_value[upload_max_filesize]" = "256M";
"php_admin_value[post_max_size]" = "256M";
"access.log" = "/var/log/$pool.access.log";
};
phpOptions = ''
opcache.enable=1
opcache.memory_consumption=128
opcache.validate_timestamps=0
opcache.revalidate_path=0
'';
phpPackage = instanceOpts.phpPackage;
phpEnv."PATH" = pkgs.lib.makeBinPath [ instanceOpts.phpPackage ];
}
) cfg.instances;
};
config.services.nginx.virtualHosts = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
nameValuePair domain {
forceSSL = true;
enableACME = true;
acmeRoot = null;
root = cfg.dataDir + "/" + domain + "/public";
serverAliases = instanceOpts.domainAliases;
extraConfig = ''
if (!-e $request_filename) {
rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last;
}
# Virtual endpoint created by nginx to forward auth requests.
location /authelia {
internal;
set $upstream_authelia http://127.0.0.1:9091/api/verify;
proxy_pass_request_body off;
proxy_pass $upstream_authelia;
proxy_set_header Content-Length "";
# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# [REQUIRED] Needed by Authelia to check authorizations of the resource.
# Provide either X-Original-URL and X-Forwarded-Proto or
# X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
# Those headers will be used by Authelia to deduce the target url of the user.
# Basic Proxy Config
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}
'';
# locations."/typo3/login" = {
# extraConfig = ''
# # Basic Authelia Config
# # Send a subsequent request to Authelia to verify if the user is authenticated
# # and has the right permissions to access the resource.
# auth_request /authelia;
# # Set the `target_url` variable based on the request. It will be used to build the portal
# # URL with the correct redirection parameter.
# auth_request_set $target_url $scheme://$http_host$request_uri;
# # Set the X-Forwarded-User and X-Forwarded-Groups with the headers
# # returned by Authelia for the backends which can consume them.
# # This is not safe, as the backend must make sure that they come from the
# # proxy. In the future, it's gonna be safe to just use OAuth.
# auth_request_set $user $upstream_http_remote_user;
# auth_request_set $groups $upstream_http_remote_groups;
# auth_request_set $name $upstream_http_remote_name;
# auth_request_set $email $upstream_http_remote_email;
# proxy_set_header Remote-User $user;
# proxy_set_header Remote-Groups $groups;
# proxy_set_header Remote-Name $name;
# proxy_set_header Remote-Email $email;
# # If Authelia returns 401, then nginx redirects the user to the login portal.
# # If it returns 200, then the request pass through to the backend.
# # For other type of errors, nginx will handle them as usual.
# error_page 401 =302 https://auth.cloonar.com/?rd=$target_url;
#
# fastcgi_param REMOTE_USER $user;
#
# include ${pkgs.nginx}/conf/fastcgi.conf;
# fastcgi_buffer_size 32k;
# fastcgi_buffers 8 16k;
# fastcgi_connect_timeout 240s;
# fastcgi_read_timeout 240s;
# fastcgi_send_timeout 240s;
# fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket};
# fastcgi_param SCRIPT_FILENAME ${cfg.dataDir}/${domain}/public/typo3/index.php;
# '';
# };
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
# TYPO3 - Block access to composer files
locations."~* composer\\.(?:json|lock)".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to flexform files
locations."~* flexform[^.]*\\.xml".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to language files
locations."~* locallang[^.]*\\.(?:xml|xlf)$".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to static typoscript files
locations."~* ext_conf_template\\.txt|ext_typoscript_constants\\.txt|ext_typoscript_setup\\.txt".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to miscellaneous protected files
locations."~* /.*\\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|tsconfig|dist|fla|in[ci]|log|sh|sql|sqlite)$".extraConfig = ''
deny all;
'';
# locations."~* /.*\.(?:bak|cfg|co?nf|ya?ml|ts)$".extraConfig = ''
# deny all;
# '';
# TYPO3 - Block access to recycler and temporary directories
locations."~ _(?:recycler|temp)_/".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to configuration files stored in fileadmin
locations."~ fileadmin/(?:templates)/.*\\.(?:txt|ts|typoscript)$".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to libraries, source and temporary compiled data
locations."~ ^(?:vendor|typo3_src|typo3temp/var)".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to protected extension directories
locations."~ (?:typo3conf/ext|typo3/sysext|typo3/ext)/[^/]+/(?:Configuration|Resources/Private|Tests?|Documentation|docs?)/".extraConfig = ''
deny all;
'';
# Cache.appcache, your document html and data
locations."~* \\.(?:manifest|appcache|html?|xml|json)$".extraConfig = ''
expires -1;
# access_log logs/static.log; # I don't usually include a static log
'';
# Cache Media: images, icons, video, audio, HTC
locations."~* \\.(?:jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|woff2)$".extraConfig = ''
expires 1y;
access_log off;
add_header Cache-Control "public";
'';
# Feed
locations."~* \\.(?:rss|atom)$".extraConfig = ''
expires 1h;
add_header Cache-Control "public";
'';
# Cache CSS, Javascript, Images, Icons, Video, Audio, HTC, Fonts
locations."~* \\.(?:css|js|jpg|jpeg|gif|png|ico|cur|gz|svg|svgz|mp4|ogg|ogv|webm|htc|woff2)$".extraConfig = ''
expires 1y;
access_log off;
add_header Cache-Control "public";
'';
locations."/".extraConfig = ''
index index.php index.html;
try_files $uri $uri/ /index.php$is_args$args;
'';
# TYPO3 Backend URLs
locations."/typo3$".extraConfig = ''
rewrite ^ /typo3/;
'';
locations."/typo3/".extraConfig = ''
try_files $uri /typo3/index.php$is_args$args;
'';
locations."~ [^/]\\.php(/|$)".extraConfig = ''
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_buffer_size 32k;
fastcgi_buffers 8 16k;
fastcgi_connect_timeout 240s;
fastcgi_read_timeout 240s;
fastcgi_send_timeout 240s;
fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket};
fastcgi_index index.php;
'';
}
) cfg.instances;
config.users.users = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
nameValuePair user {
isNormalUser = true;
createHome = true;
home = "/var/www/" + domain;
homeMode= "770";
group = config.services.nginx.group;
openssh.authorizedKeys.keys = instanceOpts.authorizedKeys;
}
) cfg.instances;
config.users.groups = mapAttrs' (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in nameValuePair user {}) cfg.instances;
config.services.mysql.ensureUsers = mapAttrsToList (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
{
name = user;
ensurePermissions = {
"${user}.*" = "ALL PRIVILEGES";
};
}) cfg.instances;
config.services.mysql.ensureDatabases = mapAttrsToList (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
user
) cfg.instances;
config.services.mysqlBackup.databases = mapAttrsToList (instance: instanceOpts:
let
domain = if instanceOpts.domain != null then instanceOpts.domain else instance;
user = if instanceOpts.user != null
then instanceOps.user
else builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in
user
) cfg.instances;
}

117
hosts/web-arm/modules/zammad/default.nix Normal file
View File

@@ -0,0 +1,117 @@
{ config, pkgs, ... }:
{
services.zammad = {
enable = true;
port = 3010;
secretKeyBaseFile = config.sops.secrets.zammad-key-base.path;
database = {
createLocally = true;
};
};
services.nginx.enable = true;
services.nginx.virtualHosts."support.cloonar.com" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
extraConfig = ''
# Virtual endpoint created by nginx to forward auth requests.
location /authelia {
internal;
set $upstream_authelia http://127.0.0.1:9091/api/verify;
proxy_pass_request_body off;
proxy_pass $upstream_authelia;
proxy_set_header Content-Length "";
# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# [REQUIRED] Needed by Authelia to check authorizations of the resource.
# Provide either X-Original-URL and X-Forwarded-Proto or
# X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
# Those headers will be used by Authelia to deduce the target url of the user.
# Basic Proxy Config
client_body_buffer_size 128k;
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
}
'';
locations."/" = {
proxyPass = "http://127.0.0.1:3010";
proxyWebsockets = true;
extraConfig =
"proxy_connect_timeout 300;" +
"proxy_send_timeout 300;" +
"proxy_read_timeout 300;" +
"send_timeout 300;"
;
};
locations."/auth/sso" = {
proxyPass = "http://127.0.0.1:3010";
proxyWebsockets = true;
extraConfig = ''
# Basic Authelia Config
# Send a subsequent request to Authelia to verify if the user is authenticated
# and has the right permissions to access the resource.
auth_request /authelia;
# Set the `target_url` variable based on the request. It will be used to build the portal
# URL with the correct redirection parameter.
auth_request_set $target_url $scheme://$http_host$request_uri;
# Set the X-Forwarded-User and X-Forwarded-Groups with the headers
# returned by Authelia for the backends which can consume them.
# This is not safe, as the backend must make sure that they come from the
# proxy. In the future, it's gonna be safe to just use OAuth.
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_set_header Remote-Name $name;
proxy_set_header Remote-Email $email;
# If Authelia returns 401, then nginx redirects the user to the login portal.
# If it returns 200, then the request pass through to the backend.
# For other type of errors, nginx will handle them as usual.
error_page 401 =302 https://auth.cloonar.com/?rd=$target_url;
'';
};
locations."/ws" = {
proxyPass = "http://127.0.0.1:6042";
proxyWebsockets = true;
extraConfig =
"proxy_read_timeout 86400;" +
"send_timeout 300;"
;
};
};
sops.secrets = {
zammad-db-password.sopsFile = ./secrets.yaml;
zammad-key-base.owner = "zammad";
};
services.postgresqlBackup.enable = true;
services.postgresqlBackup.databases = [ "zammad" ];
}

40
hosts/web-arm/modules/zammad/secrets.yaml Normal file
View File

@@ -0,0 +1,40 @@
zammad-db-password: ENC[AES256_GCM,data:FFsTnwQcL8V1ZWvZ9a15FWcHnsrC7nuDW155reSmfg/IRhRfrtnvbCDQ0N3AMh7TBiyG3x5za/6orV04CplUgQ==,iv:inQXkwlTbGaKgU3nfOtIYMcheBdGv8xa7dCad8WrGEc=,tag:fxjNRCUpS6RMipk4D08new==,type:str]
zammad-key-base: ENC[AES256_GCM,data:z2v1GrjRFoaDY9tPaAsUJPVRHZhSOrXWCZhhm5E6rmH4s6QWU1EW7aY4PPgditdcathLRWkDlBT5c3SQ8Cd2DPLp/SVn9Xd8w8g/lrplhNC2sJXUyB+CUgdEnBBN0XPMsFWNx9EIrqGrF/A8js5eKtQON9fCNytaHMOsCCc0rNE=,iv:oHKiXE9U0h846XVpCrcD/dFJ1MAXCYrnM80CwaWgALc=,tag:W88DsRWvdudMscH+UBPy/Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUc0RlQUt4VHU1eWZrdlF5
UFhjSU5TWFlGbTIwbzVlaStHaWRTdS92d0YwCkJQRlh0eWVNRW9SdUFXQUZzNFYw
dktoSmFqbWxDbXR0dDNTNy8zTHYwQUEKLS0tIFFwQkdvK2QvSmFGaVRBaVFMeEFi
YUZ6b1dzUGZkL2t4aU5tTjA4UC9KU3cKmhugvvIexQqpVtGp7aLKU7WSQNxk0cTO
+8MWF1v0mztJlGbiWk5OOzT9L8TO7GDGXfi8GyMVgVBvaA7tFF709w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFZGRWbnVxVUdHWndEanlk
Wmp4WS8yUjdrVSsxTHFNcjFUWm5IZytaZVRzCmorZTJRSnBRTE5qK2xiZGtYNXZH
RjBDdWE5NjE3ZWtXRU5Fc2FaVFkzNUEKLS0tIGwvUjVBL2NpdTFsY04zbktJRGxF
QWo1Vm56dnZWQ2l1K3hzVlZDL3BaTHMKw9CjtbS9hyW42prUhlTIcmcb4Z6OaxRr
T7RJZxXefEr4myJYI5B3pqbXlBpSLLwS4lgtoqHmmYuSNjL8/xoksw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBicStLZGZvdGJyMyszMkFo
S2xTeUM5ZEIrbUxqbXBxQTUyeHhJVTAzUm40Ck5KbngvdWYvVk5VYTRCUWhZeFkw
eFJKVEZ3VnpuL3BmOFVQdCs2K3hoTUUKLS0tIEhFRXZyRlpPZUpEanFMU1oweVJ2
RVJjc0FUb0NFMHk2M3gxTmhMYjlrTDgKR0tfq1CWU8OdeeigOsKqNx2sszVtPWjH
yXcqe/jLAnvS/Ut/afEyfGYEiyyzJXLp9TGjV1fAp9y2K2noD8/TwQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-11-29T10:54:56Z"
mac: ENC[AES256_GCM,data:OX49RTucGWdH1RkbXfkiMLH2Lj65v554WSfJxkCkIu/dFagCH90QSRiX/15HTsI//ffwKVurDivC6H6OByK2eWdaeCYTEn2029GjdL4RhJhXy0RLXEq5D/KVRu73O9Xe6M36asc/OenzPcmbHAvddD14y9vaOsVTL0H15ydVrwg=,iv:+uBt1Mvj+WMM4CvAOwmOXhZJVZBXVDCXA8iSXpdjktU=,tag:AeipsBJ8PA22OfUxXA8bIA==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

50
hosts/web-arm/secrets.yaml Normal file
View File

@@ -0,0 +1,50 @@
borg-passphrase: ENC[AES256_GCM,data:V77hfP5jk/DXcvRiZKu6RLAqsJhlIelkQwA6ClYJKNmMtvAXG+g6794YJ+ooof1h8qcnMoctEWMUcsBetjaguA==,iv:OyJF/dftfEaGUnmbzrcn0P0tvnUZX4l6Vk0Qf0NwwfE=,tag:AAkRMD+jq01BPq2LSYPQGA==,type:str]
borg-ssh-key: ENC[AES256_GCM,data:7F7uUlTP3ZKkpySj6/AGfH3K1/8/GzIdfp+ch1hU55zX51KgRs/KuGmj+yKyH9ua41oR4FR94MoiTb3u3MRpUj6dqO4VjVm6fRgJFNXOBhTUcelRR98Nq2QClkRqcNmPiHQC4bxjyW9C1tZfCA52AIILGh9O1Q9XnYAz2q8JwbrY+eTXS/U/1Fh1D+0Y9q1n+oingehal2huHzeVsLxFlip3TmGJx8QBlnAbANABKrMFxkHAlkvAVCrF1MULzeDeeWscHi5T80OvJfOZBSonNEZosw6QJVscMYxh047Yyl6YJ/sxIJjZjC7GiLuG/FC0FCLKRhD8PkZFjrDt/6xwrqePxIb7yIKZRpsvNVCplDDdVOB/V0AqRWAeZh3z813Zi+tnjynHPYaphso/qY2r/HZKlGInzW+QCUBdPVifhVL+y2TKytCWcp4A+c/3Dc2Ut59sfO+hqE946nYGl2S+kpNASHhBa7o6cnaMtfz8NT6rVtYN/3l1snlxeOUZo85XAuYCIerGsMkdVENg5RIJwIzwM0oaGwNzruq8cul5MfAf8hFMXpoLggYECynHk9TNdhsNtUzmsS9cXAyPnnzZT6HGI2/5cgU1weCHbbXAq+ZU9WZwOT41Fpwda/WrNJuMJYFCOFer2hcSLEyxsCfqmPSdwpYRRSYHiaCuVghV6lWyi1IVV5EsX9H6hD+Uetux1SEN95ga8edME16W2dubA0yukcOq+XHI7PMEHAs20H+dybsmVx1XjIsiV/XBWkrooFBXQp950p93XOK49vwNmHNohhCvmERkH0dczGQ5vTAMXwIYqydTqXWERDRzJVvK+pbzKiecEzhFHFge345poUKQS7BWNsv+eehgBAH4HEddtzzzjcPGYMHAhafAm1VqO2BvKg2r3XnzElUCjxWlGfrMkU+LhIgAjom8Mk9+Kha+OD84+iZnuoq73TjpqaUgC0TbkxLAm0DPgk8LsLE9XfJaroftKnrE7P7kyNGSQZfGYcl7ssLck5LJA07dTvDtytlL1Kk8RJe4FwFNPLtdiAnCVvKBe0kcClvCWrrxRt1QT85b+9IwG1yhRxlxheleePX1Fwlg/d2xj6AB3Cz7kAVO2phGPAF16Ke/UQeMxhbOIcy20g7RoiCpfx9jvdwExhDmbmUR7cleL1seFH+wgAM6uQwh80+q8IDJWPNyeXOwiA2siPwexb20xN+n1kIMa03U5Bn+lBqYoh0xXhlDHP3FiKew6xjSducNUtzyKm24kQaWSOfYIqTxYFRTI0bDgRu6xWGmZL37VSMWqDj3TIWOMBoLy0JBsRl6Jj07keJ0CwaNEa4cCWZ0s6nu49mp04JfJWF2r9ksX+2OVeDjSgX5JBB/V79j3I8iu4Nlp0pjyBKPlST/FUDAl1jT12X1grkYjXO8UyJ9AQqqnqK5lM+KYVR15Ui1lBb/vISPqiiw45bcUyHfVAAt7hcFpYLaYB0om3mernccN2fi26lawhhambRd7FGkILKA3byE9ytqGvDQ2CxtjA30kbGxeqXVFsyzROahR0c3KdKlnuCO9Uar4J5VEXgv2obNlNUfSMa9uleWDuhveBaE+2jtKUJd2P4wIIzF/VJGxgWGSge/ji0EV36EFfMg/Tyizdw5wtv4rQF0M+Uu6j/n/l62SmHnT/30H8IFCFuXWmtEo1xcssMymY4ricU3kJIgjGO9h+DrBP1GBczj7yVjLHTpEhRF0yP790xgsJrP4IQB2lOtGf5MCXLrBDYkOZ5xM3+Rq5ZNH0SAHRU/qtFUmLtfkcidjkPiwdqJ0e1LUtLwmSlsot1CkPs7hKORassyUrug7dCtv9QjRMDbtW61PlIbXqa59Aimql4IUcWyUybx12E8wRqmgcX5kG2wGfd9ZFUj6mXhQINFqChsTjXSavQw3u3m8kvd1mJXfjKS12ajr2X1e5wPDUEpLzc3wTOvVgZizGeykKTcKG+GXSjPXLR61ueAO26rboYiDAeSd73shFX/vvut/aB47kZobMOooljGVtnfZjVGY8dWzdNeGvBeLws7vnFrH1u/WXPxpktGz2/eJ0L8ANJd+BZ2+wC+R3OnHeDiXHfofm3dZJTncgxYPqboKKCXRzMviSCWB3poQTm5vEltsQOR6Lj17UmHu5MX7os7t7TrfW/op4Qko9ViWT5vtrUrCZzVqJS+d8hq4lm6ANMhi3Ql+nIMIxK+hjGZNBuKZEyKY+r+Lhz9E/xdOBGVB8QH4g32DWsYvaHfpcvJC8CkGO1nRIGFyrMc10lrv++XQYtiZ1Z4a0oOtQGAXaPGQTJB4KzwlGWc0+kguV+lK4h0QIvHvuorghYC4EJerNdRUviRxZB5mTDyJc1gGq6YgMr4d/a4tyXwoEzPbPGc/3YJATZPYLXOMaGDo0rd2961CFfrsneElNIZ71DWoy41P1fJG7qrfN0gLjU0aSC1vVnzDM8GQvoJGV35cONT7N7u+hjjFBFciLBNEE1DKge156EnP6VbR2LSptWrHeq3zOe9fN3FFR1WWor+lOl+SFztt7uVHCLuWxYPV+csOeBLQi6OhFnh9r4mLTc43wjPkbuci2jqEVM6Bf5gXQoEGzybhDb/3HfQK00NXovru5uEdREYDaj5NVyzyBhOT29JuOvqX7wEMNDqE//Me6Tx8bU12cuUM7Lne7grgYQMbYfLs3gKzRbeuYCqGCIz6KQMDOZvTR38EXqJxysrPb/HuiPfoSGHoAIHviJeIsy6bF7hKA8BikrMmoNc4762pKNKNzBGR+/HeQ1trDBCbYrTmlqoXPJaeANUZlD9NdwiopTJCBzjP/F61s5bpurAiJF6Ymx5yUHljZGVPFOH/ZawfhEcfYGvMUnAOup+EJCih5WQsrn2vodbVYFJ5GNMrDH9//uMi/cwqFWlBqnKGgnGdyqzXlLYTTMlv7fuh3XxkjRRTh6ZVuLyBqEBnXzSWwlcLOUdw3r/48JJ0JC2/rTLVnb+R7T2/+7uXVQISIrBx1ijtRCzFwaFWAPqsL+nMevAHnjpWl9NvanNWKIPIQ6cHGywxdi/7ynEnCYlY13fyIpagFKrgywsHcHuez8cyNtGLpg6hwbSEeN2wZYld+DQc5UH9pqPvvTuNHu3J62WJHZlkc6yBs/hiZBT/sEZUrL2Bf3SNFjzt/IcNSjlVbpP6dd6HpIH6tuN+lQJNypRe//TgKviHBkN0mzmw7IuRIDz1tcVA28COCo8NkzyD194zxDJ8yYKfKH/YwN5q8/R/r/EuUcY4qbeAokaS7XcIkOp/QFKHVM6AYKZ3SPyB5ZjkHFoHBG7YNDrx8AHDNemG+WUev/flmsEv3ykgTztgOoCmTqH/rduS+BGcKwsNW0iMwni9mUiJfuNdYLqhWohGLWb/mkUVoTgycXtsJ8x5BGkk4wSuGSwGCur8yVel7+Fr6CzsVGiPJOa0RHO6sN+Y9jnSMPIVm+mx16j3Q==,iv:ZGV3C0nvqdEnukiPkeMxDD66OjeXQF4anQLkALmBno8=,tag:ELar6NeP5bjL5L/Z5m7Piw==,type:str]
bitwarden-admin-token: ENC[AES256_GCM,data:WWkkhaSwJA423FSeSoEmssACB6qjyM2usKFQhGqzP+es5bIbr4SxpC1vhWHoS3om+OndVsWzQe4NZ9bNvWAefw==,iv:S/JBDXLZDaCG6EvFigIdSv6GvmFAL8w0BJZFYoGgkl8=,tag:bc7bjJUlcyHEsO3AEd4sxQ==,type:str]
bitwarden-db-password: ENC[AES256_GCM,data:ues1754DstLekOtmjbi1LgpA4nV+4i9xUcUH05xPQSa1osvig1prh3JVnyYxJpy2zOqeRF0adZuRyb7/P/SLpA==,iv:AZG8FGPrcgfgNCtYjCVvIEHI3bkIjWVf82QRJ+qQdRA=,tag:IHnlKpWdyAjrgrzYaJtYiA==,type:str]
bitwarden-ldap-password: ENC[AES256_GCM,data:gz8ntl7mwA9f2I8LjTR2lBky7J3xYYTyQwXBrunF8/6eEgAme0zxeA5u3DTUrQ4BNfUqPfxHOIX38IxiLKRyzg==,iv:5J+KIER7R+93wdaiK7FAfS5+m8qFDruyTYh2a3n6PIg=,tag:dsT7s2TKWKcwgl3yOE3I5g==,type:str]
bitwarden-smtp-password: ENC[AES256_GCM,data:og0n7HJhplyAUDY45iuKtjnOOwmW9wD2UUwrt7/Mf/DgWbhLiYJH/NVPiUhSERMimZjTkjuHHp3bNGiIPRojX0ukJTbfiX01/BipDon1TVleLNq/tYB+VjL9KDoYi5Og5gg2ZG0DfXu8IKYshF0UD9gpYHmmxDWlZ+ZTi19cDKkiVErj44ov3Bia7hs22FHqg2J946PmWJbWDTuYKRqyynAoOtfwmrSXVW+Q+xmHNYIfOiNHo/33V1xj0Ldl49g3ry3nFBP9OGnPKOOYmekv14ehJ4eixDuZQT9gpU5m2zdHRAcapW3T8TGZIibOGlMeYRbPzBoISOr+q419bsAuB90lzpGLZfkvriHxuxtpGSg=,iv:WTvc7i4hrDi5aSc+PCL+gTuf4KKZehwk6WfgXumnRPE=,tag:TOHJsAJi2t6L9ahrikS67Q==,type:str]
authelia-jwt-secret: ENC[AES256_GCM,data:sr3+B5UPtPsAYq8Dwqrbb/hXKuY49nWKhkQ11DGfSSgdIEOnDHP7jnyDCB1Mt536djovmrl1AlOG6/JKyxvakQ==,iv:r/LtU4sef4bwSY+T9TFccZq+bKrcdZ/lPsY9QInQ3xk=,tag:GNC4kVLRuxxShLwIPGKZmg==,type:str]
authelia-backend-ldap-password: ENC[AES256_GCM,data:36qJ5r/ddjgxzq82/EkvYVM8VAKoHpNUbIKlimm7eABk2FkEw+U/7h5ZLjFPmKtKkbOUSI7R48xY0cKkodKwuA==,iv:jG0rXAX8Yi2okp1Y6ZSiGgSSAVFJakKEI781EpVgOLc=,tag:cPd4wmAaF81KbVsnmIy+NQ==,type:str]
authelia-storage-encryption-key: ENC[AES256_GCM,data:A0w+CuVEUZZruXYbPiM3Mv7DcsXlu0+PvzLUS0oX71YAX7jnYBrJBFQ+sg7Y19JhQOvugCn2VJoSkcXErPq7Fg==,iv:p90bnFfoXOVEZ+BalN+Qs6PMWG8cIAqHE8jGQAaJAJU=,tag:1yp9z6UyrasKPYHHTRyHlA==,type:str]
authelia-session-secret: ENC[AES256_GCM,data:/x+cq/QsYyev30mnFiWSd1N+WCKBI4zgAczEfv9TVO1M3NHECv7J1qI3Lw1OBmBki2yIaXeNTKvsoPy1jscYqA==,iv:yjy0Gp9XDl9ePhWk3X7ATVlAO6j0wxrwddBJ06zxP6A=,tag:vXo7+TwfEIpRipDleM1Ztw==,type:str]
authelia-identity-providers-oidc-hmac-secret: ENC[AES256_GCM,data:LWLWRJqhL3qA5w53KVVB1vPUgSVhWrnoaVvD2kqIXmfZXduqj3HYRyWnGuhBsJOrVtw9gX10VT9zADkZtuYjihMEgRF4h6BWhg/nmt2l3ancAkcnn+wkzGhfY/MWwRU74j3DFN4fNMgBRXpv54tzEzoSy5kN3VriYp8f80OsEtM=,iv:V1bzLRB4/Hg+wm/YAoPRVUkAzzRiKZPnBYWVtJ47qN0=,tag:jjgB/Ja2+A7pkASl1+dGRQ==,type:str]
authelia-identity-providers-oidc-issuer-certificate-chain: ENC[AES256_GCM,data:gS6YDrngIePu4Uzio/y5JiJYDOJB+HWUlPgoP1jryvsPstfsw7YiksOYENn+ZgbSvjbk0VISSbGo+UH89r441+XBiCPqIVMLPAuSRnyEkVfG2RCSH9zF+SzrpGQreeg0q1TDDJF3YKoVotDKiq5qbagcd11VoNmbilCsrsjSV5wYdBQ3ahRm+283OBF3Coq5XcuF0mwpLuiDLsd9hEmPtaNlb/vd1c5bVMpgSEbPAG5RHaYJIr2zjt5HLNtZbldUbm4QWn4MZnvLHjtcZesTBpC7nvsKR65KJFBNDv7Ymdv3EODxo8J/RJrKVUaS09MfsW1wKIis3n3e+CSfTasRaFGlx1xC5o9b41+6BH18/+rchqivSUWnSikb4SNtKIFZTm9TklhVORWFgDrhthau5bluBGeUDdTOfuro0/bvIw8oKPsCoP5aXEzJDGugJRGCTAgI+qXBBSsLaTRlbDCQKcOozy0OQw7NvZGctOcQNvDzJfVkAPMc2Pph5ItaTWYh3MK9bEqmtCTtp7d/dWdSGjUly4EjhihxXdhbNX+BcaDdziZ/zQuxoTyKMdphAM65yYuAPyq35JnX37Z1i1Zis6lODZA9jxdUki8HTacNCh3Zd54nFD10RejErvXiXgsi0ilzBIaIe8xctPmWbwahabO+efKZ5MEixH2WX3+gb8l6gmEAYE75XfnWV0+QcL9ZvLkY8pUfNP1ZuN23NWNelT4JLPhdNip+l7DvxNVpIMxFmd0sTH452pslGKj/ESyyGl4c9ktwlJCc4+MFGLEIt7y2ZoEdddmO18bFs0TP+JY9GiSwoIQGt7ZnOSebG0MJLWLoVWi26V0QqaG06Ni1/XNHEBJuZD3vP+6sRL+0jMM5irIc5MNE8BkU5zyepaDPSC945ey8VyqDGI7HS5gL034nONvhALh/Lc+WW5uVAZKVSKBrtYUrXa+yyO0vzb42yr+9M5/r6UFW+4DrKtpked3RarakLhafwH4AQXE+ZohZYmVXl7XfD49MqwhWa04atOci5Hc3ZQ==,iv:dPslR8NX+8G8uLIo+wFT46U6XAR8ao2z6/rqzJRlEr4=,tag:Wbo1guFW/ggtZjLLNSoo7Q==,type:str]
authelia-identity-providers-oidc-issuer-private-key: ENC[AES256_GCM,data:AmefiXFJ7zEY0AHj7n61f0Ja/FqOf4Gj5WFb0SEf9ozXIlxXj3inayOPd5JB94VcVjNJ33u5XJhTzGwnN0v6QnF/iXdMBosXHdye7+v9H2GjUMFk1CKnsXgq4xEb2hHkYKdT+WBmZFksdjGw7Hl4ySGIWsFwBE3HHTNfQUFhtoEU19jQej8roFnAPIOCLHvskQ7V1OlKfMVdvIwnwep9qsuyNCMSuASjGvv8TDPQARk/1E7IJiROL/jvoTVKL1orcVNx3ibt7+HNsXCR3+g8ra4bKLRbPlKC6tQtdw98171xV83JlTtEEIPztzae0A+O9F7LMveSQveaqiBf/0YURueKQj/sH3nABGBSselO4tEQvudfrxJrQckFaQ4GB0/HoJlnRJsv6XJE5FDdcscIYFfzn6QGCookHhzITvwx/D7kubyZ/mZe/FMrp4Lv5XicUupaCTu1pflrhCpOwxh97Fiun02Ne4snWUAgVKlp7G7EhqDJV4KnNUbrCvpHvW09nNC2V71mkZm4LjLOg+jO0VazVGCzX8pgLm/Li4Tg7PhqQkQDsmgMw6tuxhRCDmzYytowAi4MmIQyewmAos3+TLoaaDb+DDSOhw3SqOX2FdCdEjvk7CY4NTCephvIFOtVpHTdmEX2UU3WNvMnC6/v1wmgQ2WsQQqp3IUvQrLlneAJ2tnBT9MdXvR8tYOBnInvwPzhE/FF1yh+eL/ujhHZ8d5RW8OfO/sIipQsMn+FsMqonbY8DJwQTOzwIa4AfNebeNeZnI/Y2XH149Ot+n2nbrf0stPyMo9xUPo5UBIBd8hsQq4cioEJKFJX2iWxJ7Cna2HxM0GC4FAKpFFrRCf6N8fFJ4U/PUNWX3sCJYvsI1Oq5oDxBmjl/r3SZ5vLumCxeDr9nulg72xxvUyzTA4cAOw5PRDk7Pvqm84Edoz+DzEdonRo4m+j8CU9JLrRS6jWLNDmenZvE4b5jEn6jthxoGzEm5cCoCT0G4BvrEqONq7CmETnGqqDs666qF3vP5UPrTMBwodeGmiPb6no70wuCs4wFSq+Cl6UxbqTPi2oIKSSS/P3XII1xTKIo7FXU4hniUs52awgQD27LfOM85MsibxPl3rp9SQndOmP56BwcE9d21iuEgRrZRhgZppK/rF3g6gyoPqJZGir/Sz50yHpf7DLZ9qiq71t32w/QODCzfMt3s9IvzR0T9xH4UvMauKNZO4+q0InahUNIqks1nUJnKW7a/+Q1nNPOcSDaRFJGOZUR25yaHBsXfOHcyemfIjJ+20gId6v52HBOPqWfIvAvRhNz46i/DUiwpeDSBmGxgQUMM97ruaJidCv6w1BCM4B4A0s9012Ksd4+UnQQEKX8oJ0TZtZbo8lqUyBk3GUOMFKtwMbn8k3CkQMIWTC4WftDXgAp2+jAu3hEV4rxm/+8uYjfNh8+/tTiOvCgJ8jQazJhan/+VDSDg0fk1DjEQBPP5ZAUl3vxw+pw1o5AnjvUOC+1KNBBUc6iUmGZ66NkjflJE5Zo7NC8MLc7D/YADmLQIYe3WwOAZsxg1AqsRkXUqRVAMhipv2RlKesCNpckivyzg3GbZlvcZjQS/bnZHZd8AuORpFnE2JvFD5QydlyFKvL3UdRVA/NkvWHPbQh/JrMCFLXlq5WNnZicx2ib6862B4JtEbNwZYjGKEvYkDXmfBgOx2AeetpO/C9rNNWJfa4SNGJC5D9+UFpoqIWv9YO6aDZ1S4flD+AXUzfoLKFBeLNsOswjwo67n/raQ//Upfpv2qKHYSY7KkWkam7So0uEZlVtrvGM0mkQSyNWY3KWdhII2gAvMzJ2C2iiJH+Geesi+E+29qCePFWJwyxCtf9jVXoR8E25UteMTvzyPRN/gjbRe/Zrbjj85sEQ9s2bDl77gpdC/+xKkZ56UiWA3ZceOG0Aij8yHP0Y+maY9+9Lh2T48LNPmuF9Qt7/IK0iixWZx0O0fzNrzY7HwQN9oFyYMiTILgYK3iVnSy3vIkDqgWfYdtNRurtAviFrSTRNefzvSah5D7TxoNbLqDcNJOMIMcRpxrHhygnP3yb+AFtpUZPiK0zfpybmgAePxWNk3Our7rSil03PXP71R9wwdwO+9N3kMuc4JS2ZnZ/Umz2zXf2tOfBnpkUqMF79VvcLBCVNa7IUucwBSIOkjdpW1f6Yu0b68gMFhBpAM2QNNnV7SL67HTt08rr0Y/k0hJDrXmTQarAb8Io+kSauegWdDyQaGbo71jTJQdIhG2Q4EfyuBGlXZ+rdC3jbbM1sjl/CKSujkSldBMEa2vp6a6aq+Ykt4qz+LN1pa0Oz4GZODY9s5iBoNgByYr++Kc+R0yRayaciZlhm27jALPyq1dBl0NG0F4ldE+KQciMPvpoPF8RBFIxviZrvpMU2ql/3dctoKkvpMXgSblX6iTyAxEeNwkmhDBfZyObrRIyTsDI2rUD3j9LQ+jTEk299cw8P2SGCQFNkl1itSxTyWoefZIEilL3YEgyxuIyDBzPLpmQzyMk4zrOu+zmJYFBm184Wk2Tt6e5b7VzfGurxnPhk/KpaPwJeTJPM44n9UQo/fpnNra89XUqty0fYg8fb2d4XnyMVc2ooZE6vmn8pi6QHwOr6vKhO6LEcok7f3MGafjPs/BW8J8aqGvLoKpEelSEEvhVhBlHQlxoulWZYG6sowGJdLcA95o0hsZmxvL7tB4OpS1ZFjN6Um+0wa0yj3yl1XNuYKmjV1IfXjwowgZ/Lb1tRRxAcxoT2mycr6d2wrbfS7huhTUNZBCHQizOiQcuoRlHeTvu/f8owAwuBb6r0wSGHyDhVmw5Ga73Fk4LkavAEKD1MW+tWeZtioIQT+PKrmVCrbqnx50xVaRmUAvpX5BRnznu06pWKna5Wa6gfjBz48IPGzgaPyRIzw4sdz1AB8ScUd2lT8Ihb/FTZAWOPzSR4CZeIyDvCWuQG89xgeq6bhlZxr7YA3jRIGxUqGq5h3s08k1zG6uCg/1LkythiRUp9rZPiHVVPWlpZl8W1YWhyJVGJVu5aQTgtRZRLlCg+pJvOmKzFLbJSRNv5xdXdTfEp0HTkVWDc+G58nONTz8oygyRIvw7OhSQeOKQtcr6Bzkt1LVIM5vloFGSr0gaI32Db43hiWv90v4mEXWdWDtsSLXyGipVyH8MpeghyMgm6Vps7ogujJVCEJrW2JLbcAvlnlXEDoVSx4qQMOqOFrhwfzDClBuXy7LEZ2bcWsVuNebOA0oZoEkfWkbNO3QX6vp/jUrPWhMu2orm0ZGNeaebXqauc0ueI8IbnBfSI/6DOoVd9MU4fyiApQvRL5jbAcDLHowIKWaSYpV/obVy8U6IvoaFpRJPiaeAo6yFLLEUemt3OrGiPhKrbuHSkHaNyUF5ywSf2Oz8a9eH1MWaSgFjdqLmBtmAogsHS+I1NIfVmytcKNQodPEk6LZjRKbiJ46U3D5/d6j8O7qZ0M6FbuEawTb98Mctx7O3RJJhJiaqdTfL9sS2Oxix5dY39e724iJQ5P1/96T3vGTnX3rV6VQ5/G9X1tfFBSobV0h6iQccH3aUQUPyiRCquxhzRDuo8jkzYIv4TLLFF9Z1mE/FAFkOrNJfIaJ0kppQmAN9JkVdoIvmKBinn1fjK+vGgeOHEdMboSZhbeioW2qRMxkdNQhOMWOUEQ7BHLzxpKUyQiOFmPPnCUEUja5KCvIw/AgTN7p0Ep+WtWmnVedIKG3CZory2a91lFzF574PAAbf4buITM9N4FG/vqoe1k1iLW0WGRgMCYAhUJ9J+ZkV1VHJD86E+ZnAKtM5oEfCs4/eRnOxG/nY4iL+0KIZn47LoEAyFpWuJN9yATT+GwFWXvswDbMD9xm0v3SCL6fjSFIzPzy1WBAKpd5HT2FBElVru5Gk2r4nPA1In6T+Ke7qkcK8bbiyNJSNcLNJfYC8J4NWxV7cTjShOv2RoAV5m9dnB5RZW5/DMQL+aOzfjm178lmuzDfWGa30vRwc6qXxEYsV+tdo7ATldTzAjzuTDMg+M+6NTYNIlLAwQKxs0oHEuqwuhKXjQSw3ZVFRST9oYf6sNFoRMkrWkkV10uvch0NRRCSMR8KtnvfGDrvSqWfVZINEzWZLgtwXvyQ/1TFF203RdeUXzW6pj24R2FNKyMGKHaRyHnrnyNtMEskMuvMiN9nr34o+Tt6hCj/R4bMT42USeTI3oRyRI+vq+fuJADZ03JBXXEC7TJp+K6XGSUowLD8fJxclnTypbHa9rI9dHngxTkkeMxsRwPsYYVT8HCB5D38IsNI15ONRWI9K/kFfVyMEQq/KQ7/Uc5VuhfgXoG64vX73,iv:F/oBMW+PX6ogxHSYMWRS7liolMOc5rqwIJbwYj+J9DM=,tag:7HpCNkBWKFCGoNCq2iK3YQ==,type:str]
grafana-ldap-password: ENC[AES256_GCM,data:hNB6CRtXW98yqUqInD3LsZ75sA+lVfmbooehni0UKL60qE/XCZm5B9JVO9pjxbIYZN6Eu/RFX+9L9cJVa5jnEo2MVeLS4CSjqC8BHLArlOuEdA5v8vqqJofBpBfXXN5Ca5xeUDJKz2HgtoTg7G5nTkegGZPGrmj5QQiL1xzco38=,iv:ViQAPTGxEWnjLkJlGCdCq5wW+fbr/O9er8/71VjL/GE=,tag:+Mow4cw7tvtkXvV2iSHeQw==,type:str]
grafana-admin-password: ENC[AES256_GCM,data:365efRy8xD7SHBnVz6ZJO3l8/lfiZ5vZPZZbxnUmjKKJTMeebLY+P54moStY0wsbU9vk7sCKATCxrS5xy+FQJSgKLoajfz50OMA4+1k3Shl+skbeIikHKwFxqrljFa6HRQ2HTW6KLDPu6Z5Agkima5xdfrtc5R1SnOFg5b6D5NU=,iv:0yZGZVQd35Itj66Ff5hDfDYYx5xsNs/wc887bgMV1MY=,tag:9t8Iffg7kxSjE5eo7iv/RQ==,type:str]
grafana-oauth-secret: ENC[AES256_GCM,data:OXsKChjgnDEKG58LarUpdJlDy4FJTrs1lrHH9I4wO+OGb+XdOPokyXSq0Om7aYhp2g40rBcQzfj5tQcgjmvZ27He93HfgxST,iv:pSiu/2G+D/wd2+FormfGiXMm2Ps/5iDDHqUnsIJ37EY=,tag:UN2IZ6/aJJSEcTmXeD9CAQ==,type:str]
promtail-nginx-password: ENC[AES256_GCM,data:zk/Wq+Nss6Md0GdhoOcysPrDBqfoAobmqb4LMDkJBjpCn/mdP3/HPiIYdZnZ0vV0JmYpQVqgVFPMlA==,iv:TA19kKllw0Vco6RRlbW4eUqeGQ0SQJRr/TATmyZBMrs=,tag:10/87/svXdL1hpUcTOtY0w==,type:str]
victoria-nginx-password: ENC[AES256_GCM,data:+rKDzML5eQX47JF1i/ZU9jwdeLgRXPyzwSCt+iDzsCx8RKSn+omTESs/P4lj9dBPO0zjo6w=,iv:o4JW6EIwTMt3SAqhGscnc9iQBwWr6VYFSIA5sc86+pc=,tag:OvupW1Py8pCu5IAemdc81w==,type:str]
nextcloud-adminpass: ENC[AES256_GCM,data:/vt17v+aaucz8sq/uYUA0hlj1urKNYcmCN0LbgGAMhWoTiTwzYr5FzrygOuZWZBeaAFH1pWItTZRXj74OX8XqutLPlYDg/jZqLszU0/9HgSBoHb5ZnPUpzIjNI9dpMttPphpo5TVrYKoh/vR3OWjJa3ObcpGLdvMQc1r8ABEvvg=,iv:0xW7++80CwZy0O4J3bFElqp0ZMC+RpO5kcczshM1pzg=,tag:PJj5PHfkoHE8jRbS4mpq6Q==,type:str]
zammad-db-password: ENC[AES256_GCM,data:4LkMM06cs9H/ricsE+2LNin8PIn4MLbi+TaYpESeAhUz7M6JFcoLGdn2Rws3crGuCWVLColh1bv0hALLSYQs2Q==,iv:MIufiAixz6wLp1byQ2tiAx27jJGUAnVGs8KLWLaqk+4=,tag:Wbq6V3661r3Ue942q1jBRg==,type:str]
zammad-key-base: ENC[AES256_GCM,data:IERHJKzK/kRa4P6EfpSzt/9Xj1I0/YGl/Fj8ISA/WQFn4+hu9VqdJzMoVgZexbjhpB+fPWmxwyGBhrsJRf77zJGosRzG+4MPWPw6Yggai6TGbZkxj5St+I7nm9KZbtkCbo3pH3YLXhKCFVZJuSNtBb9Y3sqd0h8XcygMQbaf2Js=,iv:FEZUOBulpPDGUuJztod+r/17MEmojKrOe+HptecMdTo=,tag:ZsFKuUKaCgc01/iDJgbkNQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTRTZCcnlXaHhiVlRhTlo2
RWlWQkY0bkJseHdVU1BvVHRwcHhNNU1Yb2xvCm1ZeU1KY3Y4WkZPRmlvQ01HdTVP
b3lDTjZLVTRnV0NxQkU4ZVg2ck9FYTAKLS0tIFhnaTRSVVlpM28zaGI1OFJ6VkpW
QkNTd1hzSm9zNnlmTzlpQ1hsa2loeXMKfWYt6gtlXRv97kmSeT31fSA+JfQFAeH/
e+Z8maFTUte0NF/toqsxDJPyLG8TPaWMiS+75RCRPXyvxtt58H5iOQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age136s4znrmkheztq6mps46dj5z4avy2umzz3the58fqtlsksvx5skq9ljqgk
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSM2NzUVVWZGZ2alJ4L0lC
TE9UWHEvNmtaT0pnVS9mUUh5VHdkQ1lIaDBNClVmendCYW5PZUNqUTFEYUhldnRZ
UWJqVTU1ajJNa0FtcnBDdThFYnBETUUKLS0tIFFROVRoTFNUOHVLSjN6elZzb1RQ
MXlOWjQ0cU1mUEhhTGlLWVNyS2V5c28KDNN6eK17Z+RZtb1/pH/tr8y9qk34cHPg
UGKimFTU2o0CvZY7ZnA24XV2RgfKs2J7COUc8I34b1kWPge57yQbJw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-19T12:12:46Z"
mac: ENC[AES256_GCM,data:W7MGnXfVxBgS/AQ5Xl6PcK3P4rH+1OjbWGBJBlz7KaG3uZXf8rnZGb7OUgYadu1KjhWZIJf8i3iyOBSqPTnBbd2xYKRMmxJj1qMlGY6dx8eGv4Zlvahs4pzT0iGqhC9Ce0+mc1QQwiD7paq0PSgNAy8q2XudITCS6iIL9woc+CM=,iv:SyTmDoG49wp1WPYUsnjw6u28Ch4N8a3T6EFncCgel5I=,tag:xJk//KA/Zhq3bjy1GG1L3g==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3

34
hosts/web-arm/sites/api.optiprot.cloonar.dev.nix Normal file
View File

@@ -0,0 +1,34 @@
{ pkgs, lib, config, ... }:
{
services.webstack.instances."api.optiprot.cloonar.dev" = {
enableDefaultLocations = false;
enableMysql = true;
authorizedKeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDBGlzrg6NP5ezRFVu1CV8r0uCcS2oIgYG2/u6Cit++ARWQRO5Y0+9qC1Y2RNUaLPbvTmXg7ShskolUeuLryqvp10K2kXQ4E9NlmJ3BNLiAfWCzfe6gAgr6u5unVlXHttnP0leYpGGMUCKuiJpzy/bR6rMIUrCQC6W/MeXkwysNWKvL+ZD0IeQbogtfMFZmag9PO04RKZZvuUn9YvlgkTEK97g5dtyP1NxdtE9dDYf0G+0HcHITcw+lVmGNNwi43nAoUHieQd1kWc8YmxFB+y5O+vRH2O6pZBSdr0tdK6bPcezxd3Gk6i3a54yZfbvSislWA+o7s6uw/qExocpZb7xWa5ymPrGlEPbpYdT1y3hFO25+L1lR4QdG9oUNtJ974bL+EmYmHU+j32K3f8fxDg6BRo8FuriLtAzP7/2/7W8K4nIdMoosS+Ond2JE6XFkg1kSrXCivDBQoetZLO2y+ZPYcsQwIZsdjOnZqVr76nTepqCGIKYCuNM/9sl4AWCsyU="
];
extraConfig = ''
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
index index.php
charset utf-8;
error_page 404 /index.php;
'';
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
locations."/robots.txt".extraConfig = ''
access_log off;
log_not_found off;
'';
locations."/".extraConfig = ''
try_files $uri $uri/ /index.php$is_args$args;
'';
phpPackage = pkgs.php82.withExtensions ({ enabled, all }:
enabled ++ [ all.imagick ]);
};
}

34
hosts/web-arm/sites/api.optiprot.eu.nix Normal file
View File

@@ -0,0 +1,34 @@
{ pkgs, lib, config, ... }:
{
services.webstack.instances."api.optiprot.eu" = {
enableDefaultLocations = false;
enableMysql = true;
authorizedKeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDBGlzrg6NP5ezRFVu1CV8r0uCcS2oIgYG2/u6Cit++ARWQRO5Y0+9qC1Y2RNUaLPbvTmXg7ShskolUeuLryqvp10K2kXQ4E9NlmJ3BNLiAfWCzfe6gAgr6u5unVlXHttnP0leYpGGMUCKuiJpzy/bR6rMIUrCQC6W/MeXkwysNWKvL+ZD0IeQbogtfMFZmag9PO04RKZZvuUn9YvlgkTEK97g5dtyP1NxdtE9dDYf0G+0HcHITcw+lVmGNNwi43nAoUHieQd1kWc8YmxFB+y5O+vRH2O6pZBSdr0tdK6bPcezxd3Gk6i3a54yZfbvSislWA+o7s6uw/qExocpZb7xWa5ymPrGlEPbpYdT1y3hFO25+L1lR4QdG9oUNtJ974bL+EmYmHU+j32K3f8fxDg6BRo8FuriLtAzP7/2/7W8K4nIdMoosS+Ond2JE6XFkg1kSrXCivDBQoetZLO2y+ZPYcsQwIZsdjOnZqVr76nTepqCGIKYCuNM/9sl4AWCsyU="
];
extraConfig = ''
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
index index.php
charset utf-8;
error_page 404 /index.php;
'';
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
locations."/robots.txt".extraConfig = ''
access_log off;
log_not_found off;
'';
locations."/".extraConfig = ''
try_files $uri $uri/ /index.php$is_args$args;
'';
phpPackage = pkgs.php82.withExtensions ({ enabled, all }:
enabled ++ [ all.imagick ]);
};
}

34
hosts/web-arm/sites/api.paraclub.at.nix Normal file
View File

@@ -0,0 +1,34 @@
{ pkgs, lib, config, ... }:
{
services.webstack.instances."api.paraclub.at" = {
enableDefaultLocations = false;
enableMysql = true;
authorizedKeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmLPJoHwL+d7dnc3aFLbRCDshxRSQ0dtAVv/LYBn2/PBlZcIyVO9drjr702GL9QuS5DQyjtoZjSOvv1ykBKedUwY3XDyyZgtqjleojKIFMXkdXtD5iG+RUraUfzcFCZU12BYXSeAXK1HmIjSDUtDOlp6lVVWxNpz1vWSRtA/+PULhP+n5Cj7232Wf372+EPfQPntOlcMbyrDLFtj7cUz+E6BH0qdX0l3QtIVnK/C1iagPAwLcwPJd9Sfs8lj5C4g8T9uBJa6OX+87lE4ySYY+Cik9BN59S0ctjXvWCFsPO3udQSC1mf33XdDenc2mbi+lZWTfrN8S2K5CsbxRsVBlbapFBRwufEpN4iQnaTu1QmzDrmktBFAPJ2jvjBJPIx6W3KOy3kUwh9WNhzd/ubf9dFTHzkTzgluo/Zk6/S8fTJiA4rbYKSkLw9Y265bvtR1kfUBLKSa/Axe5dkKysX1RNKfTJEwbh2TfIS3apQPZZc5kIEWfeK/6kbQX7WJZFtTs="
];
extraConfig = ''
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
index index.php
charset utf-8;
error_page 404 /index.php;
'';
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
locations."/robots.txt".extraConfig = ''
access_log off;
log_not_found off;
'';
locations."/".extraConfig = ''
try_files $uri $uri/ /index.php$is_args$args;
'';
phpPackage = pkgs.php82.withExtensions ({ enabled, all }:
enabled ++ [ all.imagick ]);
};
}

35
hosts/web-arm/sites/api.paraclub.cloonar.dev.nix Normal file
View File

@@ -0,0 +1,35 @@
{ pkgs, lib, config, ... }:
{
services.webstack.instances."api.paraclub.cloonar.dev" = {
enableDefaultLocations = false;
enableMysql = true;
authorizedKeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmLPJoHwL+d7dnc3aFLbRCDshxRSQ0dtAVv/LYBn2/PBlZcIyVO9drjr702GL9QuS5DQyjtoZjSOvv1ykBKedUwY3XDyyZgtqjleojKIFMXkdXtD5iG+RUraUfzcFCZU12BYXSeAXK1HmIjSDUtDOlp6lVVWxNpz1vWSRtA/+PULhP+n5Cj7232Wf372+EPfQPntOlcMbyrDLFtj7cUz+E6BH0qdX0l3QtIVnK/C1iagPAwLcwPJd9Sfs8lj5C4g8T9uBJa6OX+87lE4ySYY+Cik9BN59S0ctjXvWCFsPO3udQSC1mf33XdDenc2mbi+lZWTfrN8S2K5CsbxRsVBlbapFBRwufEpN4iQnaTu1QmzDrmktBFAPJ2jvjBJPIx6W3KOy3kUwh9WNhzd/ubf9dFTHzkTzgluo/Zk6/S8fTJiA4rbYKSkLw9Y265bvtR1kfUBLKSa/Axe5dkKysX1RNKfTJEwbh2TfIS3apQPZZc5kIEWfeK/6kbQX7WJZFtTs="
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFtMqcJDygWT16b7wF0qaagWUHj1+s6whMq0YRv47WA5"
];
extraConfig = ''
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
index index.php
charset utf-8;
error_page 404 /index.php;
'';
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
locations."/robots.txt".extraConfig = ''
access_log off;
log_not_found off;
'';
locations."/".extraConfig = ''
try_files $uri $uri/ /index.php$is_args$args;
'';
phpPackage = pkgs.php82.withExtensions ({ enabled, all }:
enabled ++ [ all.imagick ]);
};
}

36
hosts/web-arm/sites/autoconfig.cloonar.com.nix Normal file
View File

@@ -0,0 +1,36 @@
{ pkgs, lib, config, ... }:
let
domain = "autoconfig.cloonar.com";
in
{
services.go-autoconfig = {
enable = true;
settings = {
service_addr = ":1323";
domain = domain;
imap = {
server = "imap.cloonar.com";
port = 993;
};
smtp = {
server = "mail.cloonar.com";
port = 587;
starttls = true;
};
};
};
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:1323/";
};
};
services.nginx.virtualHosts."autoconfig.superbros.tv".extraConfig = ''
return 301 https://autoconfig.cloonar.com$request_uri;
'';
services.nginx.virtualHosts."autoconfig.korean-skin.care".extraConfig = ''
return 301 https://autoconfig.cloonar.com$request_uri;
'';
}

90
hosts/web-arm/sites/autoconfig.nix Normal file
View File

@@ -0,0 +1,90 @@
{ pkgs, lib, config, ... }:
let
domains = [
"cloonar.com"
"ghetto.at"
"optiprot.eu"
];
vhostConfig = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
root = "/var/www/autoconfig";
# MS Outlook
locations."~* ^/autodiscover/autodiscover.xml".extraConfig = ''
root /var/www/autoconfig;
try_files /autodiscover.php =404;
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_pass unix:${config.services.phpfpm.pools.autoconfig.socket};
'';
# Thunderbird
locations."/.well-known/autoconfig/mail/config-v1.1.xml".extraConfig = ''
root /var/www/autoconfig;
try_files /config-v1.1.php =404;
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_pass unix:${config.services.phpfpm.pools.autoconfig.socket};
'';
# Apple devices
locations."/apple/get-mobileconfig".extraConfig = ''
root /var/www/autoconfig;
try_files /apple.php =404;
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_pass unix:${config.services.phpfpm.pools.autoconfig.socket};
'';
# disable logging for Apple Touch Icons
locations."~ /apple-touch-icon(|-\d+x\d+)(|-precomposed).png".extraConfig = ''
log_not_found off;
access_log off;
'';
};
in
{
services.nginx.virtualHosts."autoconfig.cloonar.com" = vhostConfig;
services.nginx.virtualHosts."autoconfig.ghetto.at" = vhostConfig;
services.nginx.virtualHosts."autoconfig.optiprot.eu" = vhostConfig;
services.nginx.virtualHosts."autoconfig.superbros.tv" = vhostConfig;
services.nginx.virtualHosts."autoconfig.korean-skin.care" = vhostConfig;
systemd.services."phpfpm-autoconfig".serviceConfig.ProtectHome = lib.mkForce false;
services.phpfpm.pools."autoconfig" = {
user = "autoconfig";
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 5;
"php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = true;
"catch_workers_output" = true;
"access.log" = "/var/log/$pool.access.log";
};
phpPackage = pkgs.php;
phpEnv."PATH" = lib.makeBinPath [ pkgs.php ];
};
users.users."autoconfig" = {
#isSystemUser = true;
isNormalUser = true;
createHome = true;
home = "/var/www/autoconfig";
homeMode= "770";
#home = "/home/${domain}";
group = "nginx";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZg6mxd6kuB7zxxTMw/kgP2Cfddjnz8hCtSbzKckNBtM9TbnJ76ZbAjgh/TDcm/qBADlICi+Ib0tMlzK1BJWLxe1SjHOR78BPzPGASmjtj6vuNAFyM20Ise5rhbbo2sC6o82F6HP4iak+hFzhwTf0Ld1LT5dJ78CltKgHFmyKIaRYBILn5MvTnmORG2UfFY1Tef2DiujrQD24bM2f4BYR2Ni0zoyim8UUkjciQkXceB8yDJQX/e1WcNxGU7Bsh2WGZMu6Ykeinbf7LIu8pPGH2sf81N8tbsYc4PxZv9lovgRWdNNmSfB+Ocsn4jWBN9nVtb8XMXycTaenI4W57F+ZWrx0LddPhwfXbLAdFgxyvqtWW/WF48DH2vETQcCATowIhtU7QDZ3pDKaTIIYhDYnMvPJuM2rQP0SCMaNzQlziXWFvKTRw8nnqkpzTz488OJVkYvULXhiRgr0Uxe6eh7XCOO9SF5wdj1cGeewefOiOjpxmg/GnaQvQW6KjFRMj1ZE="
];
};
users.groups.autoconfig = {};
}

60
hosts/web-arm/sites/cloonar.com.nix Normal file
View File

@@ -0,0 +1,60 @@
{ pkgs, lib, config, ... }:
let
domain = "cloonar.com";
dataDir = "/var/www/${domain}";
in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
root = "${dataDir}";
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
locations."/".extraConfig = ''
index index.html;
'';
locations."~* \.(jpe?g|png)$".extraConfig = ''
set $red Z;
if ($http_accept ~* "webp") {
set $red A;
}
if (-f $document_root/webp/$request_uri.webp) {
set $red "''${red}B";
}
if ($red = "AB") {
add_header Vary Accept;
rewrite ^ /webp/$request_uri.webp;
}
'';
locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
expires 365d;
add_header Pragma "public";
add_header Cache-Control "public";
'';
locations."~ [^/]\.php(/|$)".extraConfig = ''
deny all;
'';
};
users.users."${domain}" = {
isNormalUser = true;
createHome = true;
home = dataDir;
homeMode= "770";
#home = "/home/${domain}";
group = "nginx";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1CQqL1hQV3Lb6hqzDt2mgr0IasBRlIrdUCM+QibgKcU1VUWEJTo1nkcwgunnpUROtCQPRtlBZWwdqphKNrpMf3PkCPnjkcQC/2dGcFUXbkGq+5NaMnXpQnt7XAPyqxAT/9nCnXM9y3IBWjL9jN3C4l+yZHuMChi1a3q/6cNNH7WORkC1hq7MMyIvRCh6HDPwq1XCEj0w7O6m0iBmXIwiXyh3ly6ruWmkNQToPc1s2QuIE/w0yXoOF7Ubxtdf/GH2Yu0f+ztJrOveuiLlsNWx596lQwDlYa58ib0nPPtnFVf8od59F/UC8lOFtMsSY/d5ArOnqKjk6iWNaOh15WLr7wj9lrHJkiD+9fgXLyaaxVLt4NYGwyi7SZn7P1lHz6kjFr9UmRvfth6nGGoCvvfQZB8MAE0FhcTHb9fXC1m/NengWf40VQ8woZLZ4mRPWZBxrSnymgFiIvSYSqxnP3QNID4quaQ8sPyXYygbtt38qXAg/Ixyud0vgZN4H/rbW+DE="
];
};
users.groups.${domain} = {};
}

60
hosts/web-arm/sites/cloonar.dev.nix Normal file
View File

@@ -0,0 +1,60 @@
{ pkgs, lib, config, ... }:
let
domain = "cloonar.dev";
dataDir = "/var/www/${domain}";
in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
root = "${dataDir}";
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
locations."/".extraConfig = ''
index index.html;
'';
locations."~* \.(jpe?g|png)$".extraConfig = ''
set $red Z;
if ($http_accept ~* "webp") {
set $red A;
}
if (-f $document_root/webp/$request_uri.webp) {
set $red "''${red}B";
}
if ($red = "AB") {
add_header Vary Accept;
rewrite ^ /webp/$request_uri.webp;
}
'';
locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
expires 365d;
add_header Pragma "public";
add_header Cache-Control "public";
'';
locations."~ [^/]\.php(/|$)".extraConfig = ''
deny all;
'';
};
users.users."${domain}" = {
isNormalUser = true;
createHome = true;
home = dataDir;
homeMode= "770";
#home = "/home/${domain}";
group = "nginx";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1CQqL1hQV3Lb6hqzDt2mgr0IasBRlIrdUCM+QibgKcU1VUWEJTo1nkcwgunnpUROtCQPRtlBZWwdqphKNrpMf3PkCPnjkcQC/2dGcFUXbkGq+5NaMnXpQnt7XAPyqxAT/9nCnXM9y3IBWjL9jN3C4l+yZHuMChi1a3q/6cNNH7WORkC1hq7MMyIvRCh6HDPwq1XCEj0w7O6m0iBmXIwiXyh3ly6ruWmkNQToPc1s2QuIE/w0yXoOF7Ubxtdf/GH2Yu0f+ztJrOveuiLlsNWx596lQwDlYa58ib0nPPtnFVf8od59F/UC8lOFtMsSY/d5ArOnqKjk6iWNaOh15WLr7wj9lrHJkiD+9fgXLyaaxVLt4NYGwyi7SZn7P1lHz6kjFr9UmRvfth6nGGoCvvfQZB8MAE0FhcTHb9fXC1m/NengWf40VQ8woZLZ4mRPWZBxrSnymgFiIvSYSqxnP3QNID4quaQ8sPyXYygbtt38qXAg/Ixyud0vgZN4H/rbW+DE="
];
};
users.groups.${domain} = {};
}

141
hosts/web-arm/sites/diabetes-austria.cloonar.dev.nix Normal file
View File

@@ -0,0 +1,141 @@
{ pkgs, lib, config, ... }:
let
domain = "diabetes-austria.cloonar.dev";
dataDir = "/var/www/${domain}";
in {
systemd.services."phpfpm-${domain}".serviceConfig.ProtectHome = lib.mkForce false;
services.phpfpm.pools."${domain}" = {
user = domain;
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 5;
"php_admin_value[error_log]" = "stderr";
"php_admin_flag[log_errors]" = true;
"catch_workers_output" = true;
"access.log" = "/var/log/$pool.access.log";
};
phpPackage = pkgs.nur.repos.izorkin.php74;
phpEnv."PATH" = lib.makeBinPath [ pkgs.nur.repos.izorkin.php74 ];
};
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
root = "${dataDir}/public";
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
# TYPO3 - Rule for versioned static files, configured through:
# - $GLOBALS['TYPO3_CONF_VARS']['BE']['versionNumberInFilename']
# - $GLOBALS['TYPO3_CONF_VARS']['FE']['versionNumberInFilename']
extraConfig = ''
if (!-e $request_filename) {
rewrite ^/(.+)\.(\d+)\.(php|js|css|png|jpg|gif|gzip)$ /$1.$3 last;
}
'';
# TYPO3 - Block access to composer files
locations."~* composer\.(?:json|lock)".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to flexform files
locations."~* flexform[^.]*\.xml".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to language files
locations."~* locallang[^.]*\.(?:xml|xlf)$".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to static typoscript files
locations."~* ext_conf_template\.txt|ext_typoscript_constants\.txt|ext_typoscript_setup\.txt".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to miscellaneous protected files
locations."~* /.*\.(?:bak|co?nf|cfg|ya?ml|ts|typoscript|tsconfig|dist|fla|in[ci]|log|sh|sql|sqlite)$".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to recycler and temporary directories
locations."~ _(?:recycler|temp)_/".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to configuration files stored in fileadmin
locations."~ fileadmin/(?:templates)/.*\.(?:txt|ts|typoscript)$".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to libraries, source and temporary compiled data
locations."~ ^(?:vendor|typo3_src|typo3temp/var)".extraConfig = ''
deny all;
'';
# TYPO3 - Block access to protected extension directories
locations."~ (?:typo3conf/ext|typo3/sysext|typo3/ext)/[^/]+/(?:Configuration|Resources/Private|Tests?|Documentation|docs?)/".extraConfig = ''
deny all;
'';
locations."/".extraConfig = ''
index index.php index.html;
try_files $uri $uri/ /index.php$is_args$args;
'';
# TYPO3 Backend URLs
locations."/typo3$".extraConfig = ''
rewrite ^ /typo3/;
'';
locations."/typo3/".extraConfig = ''
try_files $uri /typo3/index.php$is_args$args;
'';
locations."~ [^/]\.php(/|$)".extraConfig = ''
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_buffer_size 32k;
fastcgi_buffers 8 16k;
fastcgi_connect_timeout 240s;
fastcgi_read_timeout 240s;
fastcgi_send_timeout 240s;
fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket};
fastcgi_index index.php;
'';
};
users.users."${domain}" = {
#isSystemUser = true;
isNormalUser = true;
createHome = true;
home = dataDir;
homeMode= "770";
#home = "/home/${domain}";
group = "nginx";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDZg6mxd6kuB7zxxTMw/kgP2Cfddjnz8hCtSbzKckNBtM9TbnJ76ZbAjgh/TDcm/qBADlICi+Ib0tMlzK1BJWLxe1SjHOR78BPzPGASmjtj6vuNAFyM20Ise5rhbbo2sC6o82F6HP4iak+hFzhwTf0Ld1LT5dJ78CltKgHFmyKIaRYBILn5MvTnmORG2UfFY1Tef2DiujrQD24bM2f4BYR2Ni0zoyim8UUkjciQkXceB8yDJQX/e1WcNxGU7Bsh2WGZMu6Ykeinbf7LIu8pPGH2sf81N8tbsYc4PxZv9lovgRWdNNmSfB+Ocsn4jWBN9nVtb8XMXycTaenI4W57F+ZWrx0LddPhwfXbLAdFgxyvqtWW/WF48DH2vETQcCATowIhtU7QDZ3pDKaTIIYhDYnMvPJuM2rQP0SCMaNzQlziXWFvKTRw8nnqkpzTz488OJVkYvULXhiRgr0Uxe6eh7XCOO9SF5wdj1cGeewefOiOjpxmg/GnaQvQW6KjFRMj1ZE="
];
};
users.groups.${domain} = {};
services.mysqlBackup.databases = [ "diabetes_austria" ];
}

39
hosts/web-arm/sites/gbv-aktuell.at.nix Normal file
View File

@@ -0,0 +1,39 @@
{ pkgs, lib, config, ... }:
{
services.typo3.instances."gbv-aktuell.at" = {
domainAliases = [ "www.gbv-aktuell.at" ];
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHYyLbVv9l/LhpNhmE3QO0f9Lg8d2Y8JiDdn/cNcmyfO"
];
phpPackage = pkgs.php81;
};
services.awstats = {
enable = true;
updateAt = "daily";
configs."gbv-aktuell.at" = {
webService = {
enable = true;
hostname = "gbv-aktuell.at";
};
logFile = "/var/log/nginx/access.log";
extraConfig = {
# ShowDaysOfWeekStats = "0";
# ShowHoursStats = "0";
# ShowDomainsStats = "0";
# ShowHostsStats = "0";
# "ShowRobotsStats" = "0";
# "ShowFileTypesStats" = "0";
# "ShowDownloadsStats" = "0";
# "ShowPagesStats" = "0";
# "ShowOSStats" = "0";
# "ShowBrowsersStats" = "0";
# "ShowOriginStats" = "0";
# "ShowKeyphrasesStats" = "0";
# "ShowKeywordsStats" = "0";
# "ShowMiscStats" = "0";
# "ShowHTTPErrorsStats" = "0";
};
};
};
}

10
hosts/web-arm/sites/gbv-aktuell.cloonar.dev.nix Normal file
View File

@@ -0,0 +1,10 @@
{ pkgs, lib, config, ... }:
{
services.typo3.instances."gbv-aktuell.cloonar.dev" = {
domainAliases = [ "typo3-gbv-aktuell.cloonar.com" ];
authorizedKeys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAcDedq/yqC2ROzvZGTyR/tDSnTcL3LB32O2QhkgQmfn"
];
phpPackage = pkgs.php81;
};
}

71
hosts/web-arm/sites/gbv.cloonar.dev.nix Normal file
View File

@@ -0,0 +1,71 @@
{ pkgs, lib, config, ... }:
let
domain = "gbv.cloonar.dev";
dataDir = "/var/www/${domain}";
in {
systemd.services."phpfpm-${domain}".serviceConfig.ProtectHome = lib.mkForce false;
services.phpfpm.pools."${domain}" = {
user = domain;
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 5;
"php_admin_value[error_log]" = "/var/log/$pool.error.log";
"php_admin_flag[log_errors]" = true;
"php_admin_value[display_errors]" = true;
"catch_workers_output" = true;
"access.log" = "/var/log/$pool.access.log";
};
phpPackage = pkgs.nur.repos.izorkin.php74;
phpEnv."PATH" = lib.makeBinPath [ pkgs.nur.repos.izorkin.php74 ];
};
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
root = "${dataDir}";
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
locations."/".extraConfig = ''
index index.php index.html;
try_files $uri $uri/ /index.php$is_args$args;
'';
locations."~ [^/]\.php(/|$)".extraConfig = ''
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_buffer_size 32k;
fastcgi_buffers 8 16k;
fastcgi_connect_timeout 240s;
fastcgi_read_timeout 240s;
fastcgi_send_timeout 240s;
fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket};
fastcgi_index index.php;
'';
};
users.users."${domain}" = {
isSystemUser = true;
createHome = true;
home = dataDir;
homeMode= "770";
#home = "/home/${domain}";
group = "nginx";
};
users.groups.${domain} = {};
services.mysqlBackup.databases = [ "gbv_stage" ];
}

117
hosts/web-arm/sites/matomo.cloonar.com.nix Normal file
View File

@@ -0,0 +1,117 @@
{ pkgs, lib, config, ... }:
let
domain = "matomo.cloonar.com";
dataDir = "/var/www/${domain}";
in {
systemd.services."phpfpm-${domain}".serviceConfig.ProtectHome = lib.mkForce false;
services.phpfpm.pools."${domain}" = {
user = domain;
settings = {
"listen.owner" = config.services.nginx.user;
"pm" = "dynamic";
"pm.max_children" = 32;
"pm.max_requests" = 500;
"pm.start_servers" = 2;
"pm.min_spare_servers" = 2;
"pm.max_spare_servers" = 5;
"php_admin_value[error_log]" = "/var/log/$pool.php.error.log";
"php_admin_flag[log_errors]" = true;
"php_admin_value[display_errors]" = true;
"catch_workers_output" = true;
"access.log" = "/var/log/$pool.access.log";
};
phpPackage = pkgs.php83;
phpEnv."PATH" = lib.makeBinPath [ pkgs.php83 ];
};
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
root = "${dataDir}";
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
locations."~* ^.+\\.php$".extraConfig = ''
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
if (!-f $document_root$fastcgi_script_name) {
return 404;
}
include ${pkgs.nginx}/conf/fastcgi_params;
include ${pkgs.nginx}/conf/fastcgi.conf;
fastcgi_buffer_size 32k;
fastcgi_buffers 8 16k;
fastcgi_connect_timeout 240s;
fastcgi_read_timeout 240s;
fastcgi_send_timeout 240s;
fastcgi_pass unix:${config.services.phpfpm.pools."${domain}".socket};
fastcgi_index index.php;
'';
## serve all other files normally
locations."/".extraConfig = ''
index index.php index.html;
try_files $uri $uri/ /index.php$is_args$args;
'';
## disable all access to the following directories
locations."~ ^/(config|tmp|core|lang)".extraConfig = ''
deny all;
return 403; # replace with 404 to not show these directories exist
'';
locations."~ /\\.ht".extraConfig = ''
deny all;
return 403;
'';
locations."~ js/container_.*_preview\\.js$".extraConfig = ''
expires off;
add_header Cache-Control 'private, no-cache, no-store';
'';
locations."~ \\.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2)$".extraConfig = ''
allow all;
## Cache images,CSS,JS and webfonts for an hour
## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
expires 1h;
add_header Pragma public;
add_header Cache-Control "public";
'';
locations."~ ^/(libs|vendor|plugins|misc|node_modules)".extraConfig = ''
deny all;
return 403;
'';
## properly display textfiles in root directory
locations."~/(.*\\.md|LEGALNOTICE|LICENSE)".extraConfig = ''
default_type text/plain;
'';
};
users.users."${domain}" = {
isSystemUser = true;
createHome = true;
home = dataDir;
homeMode= "770";
#home = "/home/${domain}";
group = "nginx";
};
users.groups.${domain} = {};
systemd.services."matomo-archive" = {
startAt = "*-*-* 23:00:00";
serviceConfig = {
Type = "oneshot";
User = "${domain}";
ExecStart = "${pkgs.php83}/bin/php /var/www/${domain}/console --matomo-domain=matomo.cloonar.com core:archive";
};
};
services.mysqlBackup.databases = [ "matomo" ];
}

65
hosts/web-arm/sites/mehr-leistbaren-wohnraum-schaffen.at.nix Normal file
View File

@@ -0,0 +1,65 @@
{ pkgs, lib, config, ... }:
let
domain = "mehr-leistbaren-wohnraum-schaffen.at";
dataDir = "/var/www/${domain}";
in {
services.nginx.virtualHosts."www.${domain}" = {
enableACME = true;
forceSSL = true;
globalRedirect = domain;
};
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
root = "${dataDir}";
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
locations."/".extraConfig = ''
index index.html;
'';
locations."~* \.(jpe?g|png)$".extraConfig = ''
set $red Z;
if ($http_accept ~* "webp") {
set $red A;
}
if (-f $document_root/webp/$request_uri.webp) {
set $red "''${red}B";
}
if ($red = "AB") {
add_header Vary Accept;
rewrite ^ /webp/$request_uri.webp;
}
'';
locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
expires 365d;
add_header Pragma "public";
add_header Cache-Control "public";
'';
locations."~ [^/]\.php(/|$)".extraConfig = ''
deny all;
'';
};
users.users."mehr-leistbaren-wohnraum" = {
isNormalUser = true;
createHome = true;
home = dataDir;
homeMode= "770";
#home = "/home/${domain}";
group = "nginx";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWrkjt5+tIGAi0Q9ViFlFARGxMxoDaxI7lu1AtIlluhOXvJrX33roxV+PF+ky6ZQFcwd5xRy1HkXkfsBJVlRstrZXiqbP9DaSO3arSTQmiezSWgeLD9r3aktsPINgENkMBSUgURVRDaO0B/PA5MylOoijFaxmHEFMa8ZNYwKj/tWKt6+NI9UxUW3fSZXipOohvdzPxoD5YjjlyivtQCbfcpFa46Q08TIiUNEBnSTIKbDuVGgNtKXd5ELRtl7HRcT9iwPfmmVPHVMXREnVma47pABe+54Qrh6N8MzSJLOLJy/kRM2iw/ovxGEWE8rPqaoPszaEPxDEpEmRMyqNb5ZAuWG3NvUOiU5rijSvP8H9QVubJyNC4DHYYeBa1Kw2iAqnzdsneyHz01vVRQh7qa4Aonuzk2VfrW08dJbMC7p6tpvQgkdGLrwetgwZRqdGpbWhRV4s816tuoBFTmM3gDWr5R6CAPmzmykhTi8IbJ5LTua5t7+82wIMA026BNvRbndk="
];
};
users.groups.${domain} = {};
}

60
hosts/web-arm/sites/mehr-leistbaren-wohnraum-schaffen.cloonar.dev.nix Normal file
View File

@@ -0,0 +1,60 @@
{ pkgs, lib, config, ... }:
let
domain = "mehr-leistbaren-wohnraum-schaffen.cloonar.dev";
dataDir = "/var/www/${domain}";
in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
root = "${dataDir}";
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
locations."/".extraConfig = ''
index index.html;
'';
locations."~* \.(jpe?g|png)$".extraConfig = ''
set $red Z;
if ($http_accept ~* "webp") {
set $red A;
}
if (-f $document_root/webp/$request_uri.webp) {
set $red "''${red}B";
}
if ($red = "AB") {
add_header Vary Accept;
rewrite ^ /webp/$request_uri.webp;
}
'';
locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
expires 365d;
add_header Pragma "public";
add_header Cache-Control "public";
'';
locations."~ [^/]\.php(/|$)".extraConfig = ''
deny all;
'';
};
users.users."mehr-leistbaren-wohnraum-dev" = {
isNormalUser = true;
createHome = true;
home = dataDir;
homeMode= "770";
#home = "/home/${domain}";
group = "nginx";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDWrkjt5+tIGAi0Q9ViFlFARGxMxoDaxI7lu1AtIlluhOXvJrX33roxV+PF+ky6ZQFcwd5xRy1HkXkfsBJVlRstrZXiqbP9DaSO3arSTQmiezSWgeLD9r3aktsPINgENkMBSUgURVRDaO0B/PA5MylOoijFaxmHEFMa8ZNYwKj/tWKt6+NI9UxUW3fSZXipOohvdzPxoD5YjjlyivtQCbfcpFa46Q08TIiUNEBnSTIKbDuVGgNtKXd5ELRtl7HRcT9iwPfmmVPHVMXREnVma47pABe+54Qrh6N8MzSJLOLJy/kRM2iw/ovxGEWE8rPqaoPszaEPxDEpEmRMyqNb5ZAuWG3NvUOiU5rijSvP8H9QVubJyNC4DHYYeBa1Kw2iAqnzdsneyHz01vVRQh7qa4Aonuzk2VfrW08dJbMC7p6tpvQgkdGLrwetgwZRqdGpbWhRV4s816tuoBFTmM3gDWr5R6CAPmzmykhTi8IbJ5LTua5t7+82wIMA026BNvRbndk="
];
};
users.groups.${domain} = {};
}

44
hosts/web-arm/sites/module.paraclub.at.nix Normal file
View File

@@ -0,0 +1,44 @@
{ pkgs, lib, config, ... }:
let
domain = "module.paraclub.at";
dataDir = "/var/www/${domain}";
in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
root = "${dataDir}";
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
locations."/".extraConfig = ''
index index.html;
try_files $uri $uri/ /index.html$is_args$args;
'';
locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
expires 365d;
add_header Pragma "public";
add_header Cache-Control "public";
'';
locations."~ [^/]\.php(/|$)".extraConfig = ''
deny all;
'';
};
users.users."${domain}" = {
isNormalUser = true;
createHome = true;
home = dataDir;
homeMode= "770";
#home = "/home/${domain}";
group = "nginx";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwgjsgjxOSX4ZeLuhSq+JumnEa1bKS3fwlA8LDuxvOWXs2Zn4Hwa04ZuM59jzqifwGGMJOFxErm8+5oH2QQFa0wgg8zEG+2U1AzjMNk5+mxrhnLPGAMlnqXmkGi0Jj2nFwKaEM9kcO5UUqRP71BFdGtP74wRcaVpT4TTPzCQl1HTdwzmAOT+3yQ364kyAHXTwQOAjiFcSAlNfZ5C2eeNC642bv6Dfi6mMWi55tdNV6HUn7y2cbq8wscDG7gla8bN3xivuO6POWqyCpHtLxDhppLYJ28ZwqpcynRAXDnVYlT3DmPw1bDs/eBlkjauGR/oM8phka3No3cREBYpSWK7mJeqIIWSV0Z4dvFLeWh6MM4AVhX3HOW7jcxf2tUmpzre6S10HjXj3lLES7oJO4uOYoJWxaGcqFiUc9BOxqLN9FqECXuzfC0apCr0OYm5T2NsSmzlkBPzCa2EqBBI0u5XGcDKgpBA4gD8kuD+8Cj5DxPzXP+IdX1jhHRVsI5nucTvM="
];
};
users.groups.${domain} = {};
}

45
hosts/web-arm/sites/module.paraclub.cloonar.dev.nix Normal file
View File

@@ -0,0 +1,45 @@
{ pkgs, lib, config, ... }:
let
domain = "module.paraclub.cloonar.dev";
dataDir = "/var/www/${domain}";
in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
root = "${dataDir}";
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
locations."/".extraConfig = ''
index index.html;
try_files $uri $uri/ /index.html$is_args$args;
'';
locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
expires 365d;
add_header Pragma "public";
add_header Cache-Control "public";
'';
locations."~ [^/]\.php(/|$)".extraConfig = ''
deny all;
'';
};
users.users."${domain}" = {
isNormalUser = true;
createHome = true;
home = dataDir;
homeMode= "770";
#home = "/home/${domain}";
group = "nginx";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCwgjsgjxOSX4ZeLuhSq+JumnEa1bKS3fwlA8LDuxvOWXs2Zn4Hwa04ZuM59jzqifwGGMJOFxErm8+5oH2QQFa0wgg8zEG+2U1AzjMNk5+mxrhnLPGAMlnqXmkGi0Jj2nFwKaEM9kcO5UUqRP71BFdGtP74wRcaVpT4TTPzCQl1HTdwzmAOT+3yQ364kyAHXTwQOAjiFcSAlNfZ5C2eeNC642bv6Dfi6mMWi55tdNV6HUn7y2cbq8wscDG7gla8bN3xivuO6POWqyCpHtLxDhppLYJ28ZwqpcynRAXDnVYlT3DmPw1bDs/eBlkjauGR/oM8phka3No3cREBYpSWK7mJeqIIWSV0Z4dvFLeWh6MM4AVhX3HOW7jcxf2tUmpzre6S10HjXj3lLES7oJO4uOYoJWxaGcqFiUc9BOxqLN9FqECXuzfC0apCr0OYm5T2NsSmzlkBPzCa2EqBBI0u5XGcDKgpBA4gD8kuD+8Cj5DxPzXP+IdX1jhHRVsI5nucTvM="
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIC0j0teJ1v7Ke2NYVWlHOd4sYBiE8uLHAtY+Myi7g267"
];
};
users.groups.${domain} = {};
}

15
hosts/web-arm/sites/optiprot.cloonar.dev.nix Normal file
View File

@@ -0,0 +1,15 @@
{ pkgs, lib, config, ... }:
{
services.webstack.instances."optiprot.cloonar.dev" = {
authorizedKeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGNI6KmHlpwR8+oSm8fPdeE68kJ70oQ9EkYfhf6pqLT4Kg61WJtcF0Wl1leirnO87a30rxjK1cm69jqED6paAg8Hxf7u9+M1i+vNDVS9aZWU12rG3P8mBVW3oJFyi4PmmXNFdzc+nJTpIZVDdQqoV6I6ZsXupNvx8BaZgP/I+bMBU9+7vCvdsUVN/10+5l5FZOHGNNvDWFQKt1uGNY2xAfpNmxepLOMnC50ARfrR5UU777WxBoPBi12EXJbNbiv64JQ6Zz6/Aq6QjFaOPz+aX06uGuHWQPFCp3bw9Mc2QoO9Z/gGekDU1zzHzpxgS+MQgnuWCRJ5U6PhYSgCoQ3iUsvdiHah8LpJRtyZj1UcIeU0932sj7rxwbuGJHsn2QZAlGiIhumY3PatoOOxpb+05Q29Id5Ibf1rjH/zZZMD3LteWkgaLYVs66nbjt0HvIHiFsT2SBNjOfpL39vRVqsbM+BQ/oKmQrNIy7BzO/yzwKqb4ahtzEdzO0yKtgGuEYzyM="
];
locations."~ \"^/en/products/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = ''
try_files $uri $uri/ /en/products/index.php?$args;
'';
locations."~ \"^/de/produkte/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = ''
try_files $uri $uri/ /de/produkte/index.php?$args;
'';
phpPackage = pkgs.php81;
};
}

15
hosts/web-arm/sites/optiprot.eu.nix Normal file
View File

@@ -0,0 +1,15 @@
{ pkgs, lib, config, ... }:
{
services.webstack.instances."optiprot.eu" = {
authorizedKeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDGNI6KmHlpwR8+oSm8fPdeE68kJ70oQ9EkYfhf6pqLT4Kg61WJtcF0Wl1leirnO87a30rxjK1cm69jqED6paAg8Hxf7u9+M1i+vNDVS9aZWU12rG3P8mBVW3oJFyi4PmmXNFdzc+nJTpIZVDdQqoV6I6ZsXupNvx8BaZgP/I+bMBU9+7vCvdsUVN/10+5l5FZOHGNNvDWFQKt1uGNY2xAfpNmxepLOMnC50ARfrR5UU777WxBoPBi12EXJbNbiv64JQ6Zz6/Aq6QjFaOPz+aX06uGuHWQPFCp3bw9Mc2QoO9Z/gGekDU1zzHzpxgS+MQgnuWCRJ5U6PhYSgCoQ3iUsvdiHah8LpJRtyZj1UcIeU0932sj7rxwbuGJHsn2QZAlGiIhumY3PatoOOxpb+05Q29Id5Ibf1rjH/zZZMD3LteWkgaLYVs66nbjt0HvIHiFsT2SBNjOfpL39vRVqsbM+BQ/oKmQrNIy7BzO/yzwKqb4ahtzEdzO0yKtgGuEYzyM="
];
locations."~ \"^/en/products/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = ''
try_files $uri $uri/ /en/products/index.php?$args;
'';
locations."~ \"^/de/produkte/[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$\"".extraConfig = ''
try_files $uri $uri/ /de/produkte/index.php?$args;
'';
phpPackage = pkgs.php81;
};
}

43
hosts/web-arm/sites/paraclub.at.nix Normal file
View File

@@ -0,0 +1,43 @@
{ pkgs, lib, config, ... }:
let
domain = "paraclub.at";
dataDir = "/var/www/${domain}";
in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
root = "${dataDir}";
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
locations."/".extraConfig = ''
index index.html;
'';
locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
expires 365d;
add_header Pragma "public";
add_header Cache-Control "public";
'';
locations."~ [^/]\.php(/|$)".extraConfig = ''
deny all;
'';
};
users.users."${domain}" = {
isNormalUser = true;
createHome = true;
home = dataDir;
homeMode= "770";
#home = "/home/${domain}";
group = "nginx";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbSqS0TrJnmihjuIwLY74jKmuErF5jarQeVEQbnl7k8DDfVXP6DKybK2wVRIrAMN2VQzgXWWyRj2wNZrvq1whZon6CrEDxDVN/VDGS99pazczbrypmycVnPsevtS3wrEhiQrwCplkPxoZGlSAPGtx3SOzql+iG7xrhJfuPDCgwIboKf8Tir170aflH7ZfXqUX+V5QMbOn+roT8Tj7vUd/za3o3okJQrW3NUHT6/0TDkGsn+lJp30e94GF5RDLUJgM8pBf45WM94dv1uEfRI7+AQJZRta3X2VNSbb8I2dPNLmgxYQaW1VtwGP/RfxoFESdQubN74p+VxNeP7z5AFiZfhEYb0yiAwXiavN7fStXX/MKXxMicS2fdGzieXLWpLol70xx19492kOnlzoiPKJRosNw8N60R+AkbPYdwl5z5uKDn1ve79YaWB3KWS5Pcr9IT1wZAc48UePL6QtcDppHe8tUflPP5h/LCKOmAioWG59YF5pKfYNLSXJzmiudzzrs="
];
};
users.groups.${domain} = {};
}

44
hosts/web-arm/sites/paraclub.cloonar.dev.nix Normal file
View File

@@ -0,0 +1,44 @@
{ pkgs, lib, config, ... }:
let
domain = "paraclub.cloonar.dev";
dataDir = "/var/www/${domain}";
in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
root = "${dataDir}";
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
locations."/".extraConfig = ''
index index.html;
'';
locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
expires 365d;
add_header Pragma "public";
add_header Cache-Control "public";
'';
locations."~ [^/]\.php(/|$)".extraConfig = ''
deny all;
'';
};
users.users."${domain}" = {
isNormalUser = true;
createHome = true;
home = dataDir;
homeMode= "770";
#home = "/home/${domain}";
group = "nginx";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDbSqS0TrJnmihjuIwLY74jKmuErF5jarQeVEQbnl7k8DDfVXP6DKybK2wVRIrAMN2VQzgXWWyRj2wNZrvq1whZon6CrEDxDVN/VDGS99pazczbrypmycVnPsevtS3wrEhiQrwCplkPxoZGlSAPGtx3SOzql+iG7xrhJfuPDCgwIboKf8Tir170aflH7ZfXqUX+V5QMbOn+roT8Tj7vUd/za3o3okJQrW3NUHT6/0TDkGsn+lJp30e94GF5RDLUJgM8pBf45WM94dv1uEfRI7+AQJZRta3X2VNSbb8I2dPNLmgxYQaW1VtwGP/RfxoFESdQubN74p+VxNeP7z5AFiZfhEYb0yiAwXiavN7fStXX/MKXxMicS2fdGzieXLWpLol70xx19492kOnlzoiPKJRosNw8N60R+AkbPYdwl5z5uKDn1ve79YaWB3KWS5Pcr9IT1wZAc48UePL6QtcDppHe8tUflPP5h/LCKOmAioWG59YF5pKfYNLSXJzmiudzzrs="
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIM6QT0k58R90NrmDIjP1bNalHnwr9Y++tOhV9kRUVivI"
];
};
users.groups.${domain} = {};
}

61
hosts/web-arm/sites/stage.korean-skin.care.nix Normal file
View File

@@ -0,0 +1,61 @@
{ pkgs, lib, config, ... }:
let
user = "stage_korean_skin_care";
domain = "stage.korean-skin.care";
dataDir = "/var/www/${domain}";
in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
root = "${dataDir}";
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
locations."/".extraConfig = ''
index index.html;
'';
locations."~* \.(jpe?g|png)$".extraConfig = ''
set $red Z;
if ($http_accept ~* "webp") {
set $red A;
}
if (-f $document_root/webp/$request_uri.webp) {
set $red "''${red}B";
}
if ($red = "AB") {
add_header Vary Accept;
rewrite ^ /webp/$request_uri.webp;
}
'';
locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
expires 365d;
add_header Pragma "public";
add_header Cache-Control "public";
'';
locations."~ [^/]\.php(/|$)".extraConfig = ''
deny all;
'';
};
users.users."${user}" = {
isNormalUser = true;
createHome = true;
home = dataDir;
homeMode= "770";
#home = "/home/${domain}";
group = "nginx";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHLGkR8JVFtyFnsXTooT/krORpPDdnFk612GW1agaOeG"
];
};
users.groups.${user} = {};
}

49
hosts/web-arm/sites/stage.myhidden.life.nix Normal file
View File

@@ -0,0 +1,49 @@
{ pkgs, lib, config, ... }:
{
services.webstack.instances."stage.myhidden.life" = {
enableDefaultLocations = false;
enableMysql = true;
authorizedKeys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmLPJoHwL+d7dnc3aFLbRCDshxRSQ0dtAVv/LYBn2/PBlZcIyVO9drjr702GL9QuS5DQyjtoZjSOvv1ykBKedUwY3XDyyZgtqjleojKIFMXkdXtD5iG+RUraUfzcFCZU12BYXSeAXK1HmIjSDUtDOlp6lVVWxNpz1vWSRtA/+PULhP+n5Cj7232Wf372+EPfQPntOlcMbyrDLFtj7cUz+E6BH0qdX0l3QtIVnK/C1iagPAwLcwPJd9Sfs8lj5C4g8T9uBJa6OX+87lE4ySYY+Cik9BN59S0ctjXvWCFsPO3udQSC1mf33XdDenc2mbi+lZWTfrN8S2K5CsbxRsVBlbapFBRwufEpN4iQnaTu1QmzDrmktBFAPJ2jvjBJPIx6W3KOy3kUwh9WNhzd/ubf9dFTHzkTzgluo/Zk6/S8fTJiA4rbYKSkLw9Y265bvtR1kfUBLKSa/Axe5dkKysX1RNKfTJEwbh2TfIS3apQPZZc5kIEWfeK/6kbQX7WJZFtTs="
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJW5N11DiAUBfjPFCcFX3CRzF6zAWD2sxMC1+IGC73/2"
];
extraConfig = ''
add_header X-Frame-Options "SAMEORIGIN";
add_header X-Content-Type-Options "nosniff";
index index.php
charset utf-8;
error_page 404 /index.php;
'';
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
locations."/robots.txt".extraConfig = ''
access_log off;
log_not_found off;
'';
locations."/".extraConfig = ''
try_files $uri $uri/ /index.php$is_args$args;
'';
phpPackage = pkgs.php82.withExtensions ({ enabled, all }:
enabled ++ [ all.imagick ]);
phpOptions = ''
upload_max_filesize = 50M
post_max_size = 50M
'';
};
systemd.services."stage-myhidden-life-schedule" = {
startAt = "*:0/1:0";
serviceConfig = {
Type = "oneshot";
User = "stage_myhidden_life";
ExecStart = "${pkgs.php83}/bin/php /var/www/stage.myhidden.life/artisan schedule:run";
};
};
}

45
hosts/web-arm/sites/tandem.paraclub.at.nix Normal file
View File

@@ -0,0 +1,45 @@
{ pkgs, lib, config, ... }:
let
domain = "tandem.paraclub.at";
dataDir = "/var/www/${domain}";
user = builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
root = "${dataDir}";
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
locations."/".extraConfig = ''
index index.html;
try_files $uri $uri/ /index.html$is_args$args;
'';
locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
expires 365d;
add_header Pragma "public";
add_header Cache-Control "public";
'';
locations."~ [^/]\.php(/|$)".extraConfig = ''
deny all;
'';
};
users.users."${user}" = {
isNormalUser = true;
createHome = true;
home = dataDir;
homeMode= "770";
#home = "/home/${domain}";
group = "nginx";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDpezoJfaqSlQKhbzIRxQysmSmU5tih0SGFh4Eiy3YjfxiJSCRCuVTBCUmnhDCPsJZK+5xEDGarO8UfiqxZfxEyEL5d7IcRQJ/uRSFhYzByGbkziLM760KYqBzaE2Siu+zk625KOm6BN9qWGZdirejwf1Ay9EYmUdNiCMBBFLkPaQkZ8IEuMavf1wHEiZLas25eK7oJWHYKltcluH05QEF+5ODu88nlSpFlz2FjxJSbLDf7qeUba/L2OL124dTU5NIDNzwZLCKjpp8aTYzTaoox7KXUVRmy1X4Or61WhSxw9+LGyrAZLsW+l0a4FgY17V5HnF5/jf8eOpkuVdwtd29KCheJ4BdUfomV8vEt6S0hUP66VqJn6MliuL+10KM6TjLnjg0McPp1LPuSFRoLzO0YetTZzeVc0oBIr9Z3vjm6jt1dYcUtaydn/fc+FgoqpIOLz6EOGCz/CmyaV4rLk2BFKqtx5GP1wbP36hVkyWpREbEMILpFKDOyp21fC67mb0M="
];
};
users.groups.${user} = {};
}

46
hosts/web-arm/sites/tandem.paraclub.cloonar.dev.nix Normal file
View File

@@ -0,0 +1,46 @@
{ pkgs, lib, config, ... }:
let
domain = "tandem.paraclub.cloonar.dev";
dataDir = "/var/www/${domain}";
user = builtins.replaceStrings ["." "-"] ["_" "_"] domain;
in {
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
acmeRoot = null;
root = "${dataDir}";
locations."/favicon.ico".extraConfig = ''
log_not_found off;
access_log off;
'';
locations."/".extraConfig = ''
index index.html;
try_files $uri $uri/ /index.html$is_args$args;
'';
locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''
expires 365d;
add_header Pragma "public";
add_header Cache-Control "public";
'';
locations."~ [^/]\.php(/|$)".extraConfig = ''
deny all;
'';
};
users.users."${user}" = {
isNormalUser = true;
createHome = true;
home = dataDir;
homeMode= "770";
#home = "/home/${domain}";
group = "nginx";
openssh.authorizedKeys.keys = [
"ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDpezoJfaqSlQKhbzIRxQysmSmU5tih0SGFh4Eiy3YjfxiJSCRCuVTBCUmnhDCPsJZK+5xEDGarO8UfiqxZfxEyEL5d7IcRQJ/uRSFhYzByGbkziLM760KYqBzaE2Siu+zk625KOm6BN9qWGZdirejwf1Ay9EYmUdNiCMBBFLkPaQkZ8IEuMavf1wHEiZLas25eK7oJWHYKltcluH05QEF+5ODu88nlSpFlz2FjxJSbLDf7qeUba/L2OL124dTU5NIDNzwZLCKjpp8aTYzTaoox7KXUVRmy1X4Or61WhSxw9+LGyrAZLsW+l0a4FgY17V5HnF5/jf8eOpkuVdwtd29KCheJ4BdUfomV8vEt6S0hUP66VqJn6MliuL+10KM6TjLnjg0McPp1LPuSFRoLzO0YetTZzeVc0oBIr9Z3vjm6jt1dYcUtaydn/fc+FgoqpIOLz6EOGCz/CmyaV4rLk2BFKqtx5GP1wbP36hVkyWpREbEMILpFKDOyp21fC67mb0M="
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILamV0WQER05HbpFlKjMBSv/mN3d1kzS0Jxf8O5p/T1L"
];
};
users.groups.${user} = {};
}

1
hosts/web-arm/utils Symbolic link
View File

@@ -0,0 +1 @@
../../utils

7
papa-nb.md
View File

@@ -1,7 +0,0 @@
excel
überweisungen
email - outlook
remote desktop
cewe fotobuch

109
utils/modules/lego/secrets.yaml
View File

@@ -8,92 +8,101 @@ sops:
- recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBva0ZWWG01TlpTby81NzFR
elJvRnZGcmpvZzlra05aNFQvL2ZuZnRYcHdRCkI0Ylp3dENWQ1p0ZWJOckk4UHpJ
aVRyUnd2MVRBKysySm45MVZNUm1ScWsKLS0tIDlBTm5JY29MMTdKUHZSMUM5M1ow
QkRXdE1BakZWUjlxTDByQ2IreFJ0WW8KPRgox+gVV4JsrVcBlaNT8MM32TWLvjFy
quGn6+RAlqH1dTxF7zAWP9ArotxK0zWwdJe3THp/so1PzfHzG153Og==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJMXJwSnlPZSswdE0zcjht
SVU5QzhkQWhQQndKWUFHeW5PRHFkTXB1YkZ3CjNONDJ4dmNmdjZDbUFWbmlibitu
eDZzNDd2VysvNTJHVTJtUkhRb0h2SEEKLS0tIFhzZ2VjK2EyUTRxWTQ1VVAyT1BO
S1dmN3RKdmNlQlMxWDJXeGhvV01JWHMK5vekesz0Rul/62RL3G/vcDF9ZmO5TIPY
YdAzZrjAt5Z87kobunkZbey0CJIBq25eIidg8PdbGmrx6VFoutns9Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJL3NZYjAxU1hXQTYyL2xw
OE9nUlZWMmxqOTBHQkptRVR4NkZmRkZaQ21NCjBsMFlSdzk0NmNoTDVBYWZOTkpK
U2wyUDdxRnF6SWtzRUZBTGwvZ0hVaHcKLS0tIGR3Z1FSOVZNUkJCZmpVZy9EVS9M
UjJkTnQxZUJFaGZzZ0M3WTVIeU1SdVUKkpEonSeadfMW2buitIkTvo096uyNAuM/
gHAmWaN/I5cUTkg1NIeboKLYhkKt2gEuAKaOsu1JuUvsBBtehHOpJg==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDMmxHZnJjVHp0Vks2WG51
N1BGdjI5bzRUWDVyQmRjWVYxWktFSlB0TGcwCncxeE1uSTlRTzNjL2dMOUhJbmJI
bFNTaUYrTlBUL29rbEZDdkNISjlOSkEKLS0tIGNiM2RFRXhUV3RmY0M0N0UrTE41
M0liVXlsMFJzVmR2T1hHUUt0d0VSbmsKANZB5eDBTVhG6jPA1mUQyN9VEWC3V4uC
eBXdxs79ZSw8MHzqVpyCLh6+ztY4oVrw2dkMYVlsK1Oe/9fEMeH4+g==
-----END AGE ENCRYPTED FILE-----
- recipient: age106n5n3rrrss45eqqzz8pq90la3kqdtnw63uw0sfa2mahk5xpe30sxs5x58
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0cnIvTXZGdFN6bjNPbUVN
Z3RYdFdVamc2ZHJtanNYdTZWQkV5YjQ1YVc0CkVPUHZZRms2M3VSU2NjVzNUaTJY
ZnZtRmx0OThIR3ZtekRlZTUycFFHb0UKLS0tICtib0xqelNibUMwTmFzS2dFTFBU
bnU2ZzRGcVNLajI1SlpVOEMrQzNhRXcKxG0zj45vFrARUsWm4pkkxm7UcEVfy15w
sCzUFK7MSzYMbcUAeuSSJKLeJV9h2O0Nd4kRV8jO9dTTcT9xhIftzw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHUWFPNTB6MG9iSGRNSTlZ
c1R6TGtOTW94eE9mS0ZCSjRkUEloNkF5TnlrCmJjaUIxU0dKaVJub2NQTlV2Uksy
Rm9NaDBWN2VuNEFIdUNrdFNBbDdsdW8KLS0tIGF3TExLK2Q3VEs2YWQvVUxVbWlr
em9hQXlSZ2VKZkN4MVMzWFNQOFJvWGMKc567TYejDxyH4Jx2iQvPpQkeyDA4w0of
ZIlW0vfJE61pkuWJs6lQ2F+0VzMHmpIsC2wR4p4+JfQEES3jCG3P3w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBObU9iL3pCam9kUjhxNWZR
QUtxUFpnTlVJT25TNmZqbVdOT05jZjZmcTFjCmwwa2pDb3o3SlA5b0FJTE42Lyt2
aUNUSWlsOGVUT3dNRnR3cE9FL1EzenMKLS0tIHg0WE0yOVkwZml5K2YxUTZtaElI
OUNxdUgyS21ZTFZoelVxRXRvakI5WUkK1HiQQqW7YT+Ra9fgpIU7/lKqKlT5KR0L
/jIVJxR61k9hVMjnh4s0ttKJc0UMNSqOej1SljaNXcH+c1wAckGl8g==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuYk9LQ1RrUVp2U1RDekxR
OWZXcmJsNWdGK0pnRDhJempoSWlUc2t1elVNCnoyRE5RRGJ6QkYzZ1lOc3pveGty
aUNKczVDamJuc3lRVm5Ca3Z6bWViYXMKLS0tIHZwTDd3emVLMzQ1QjNuY3EvZXVQ
emt1K21WNndYbnh4b1c0SERqTEJjNHMKKEUxjSAVO53bL9jGkbLn8xoj5motIlC9
d2UvlsPGU6Vi6zdg6ugf58WMD/pgr0NjmVFL0nk7XmNL19+eBuDPqw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1gjm4c3swt8u88e36gf2qlg3syxfc0ly94u64c42f2tsf24npw4csa6e4fw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzTGVCOTlJQkZ1WDRkaHh6
dUlEcVBhMDRmZjJYdHdpUUhyZkxsaXFLd2dBCnZMVFhudGJTNmpDWEFEM0pRM3JJ
cURqLzdsMHdxRG9oNGhXOE1VU1NCRmcKLS0tIGJodWoyYlhIQzBMRnRKTzFPckll
YjM5cGFFWlZocUs3dXRSaHJDYndCeEEK50eynm0a4FYdT+BTB1mj/BXu/sXAGYnk
jrWzH2HMdQARszniSHflguIOLo/oVCefF0EbAWyEa5XbpSVyRyYQxw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1ezq2j34qngky22enhnslx6hzh4ekwk8dtmn6c9us0uqxqpn7hgpsspjz58
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNMVpjK2ZYT0c3dURKY3Zn
ZUFrY29kTGQrT1d5Kzh3eTcreUpMTlNERVRRCll4NHpmdTN4bHFvdlMramJaemdM
VGNPQlZMcmdLQngyUC9LUXFYa25CNTAKLS0tIHRBMlJHS3duVnMwY0Q3ZDZWMzVQ
UmRGNHRpQjhhSzZqbTljVERqRHZWekkKyFju3iGm7ebnyYkwj23ES2hUQmjNOcUt
4pBdZQe37zhaAspSTmLBfAnEITDh+ZSaOEmIZgExnQk38hB0Ahq9mQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6K0dNUlQ1UVBTVUJsRXBu
cVY4NDYwUTUwaTVYTlZaNy9mdHUvbXpOVlJNCnRHanBuVkJMbEkvUSsyU2gwd3R2
RG5IM2c4N2w1UjZVWG9QbzhyRTNyd00KLS0tIDVVOE5FZlNYaGsxdHJ4RUlTRjYz
Z0xuVVAzemF6b3dBZGNYdFRUdktYR1EKX7QXdIGBry3j1QfFDGqYFGBVo84NcW4B
wz8ijaCnFb8FR6+PIOfXe44KGXgpqelUP2KjGyo8XbBgFzrHH+BX4A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1jyeppc8yl2twnv8fwcewutd5gjewnxl59lmhev6ygds9qel8zf8syt7zz4
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsUitId2REWVg0N1FEa0Z4
ZEJaTGZDRDMvR0J6TjNHVkZhU0xYc0NVYlVRCkRPdU9ucW1mMnhHcDIrUG8wdTBz
dDBNclUwRi9jdTNtV1FTL3lvTDV6aG8KLS0tIEJmeklxTEpYYUI1aVkrTDRCU1pT
UWRQNTEyMVlHRHBvSlRDRzErQSt2TUkKgLNNvXQD4U2q2A+b5+9COlnxDc9jLFWE
xDURstl4BjNPIp3pNkiQ+qQsWgH430hsOPvokb2HTFmmu2872YwC0Q==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVmpyQ281MHl3L1k2aVls
UDBXbnNqa3pIZEs1TXFCanphY2NCcmdLUVU4CmVOZ3FWT0ptOEE0Y1NPQXlTS0Q3
QVFpazNmMkx1Zkp2eXR2RXZEQjc5MU0KLS0tIGxIRmtjNllrbmVFZVZWZ21VNlZC
WmZKNFBzTkNBNlJkSmRXRWpqdk9HMlUKYeLz0i+P1i6zo8DT/AX+b81vWoQ8c6I7
p4xBmiGr+wvtAcA8viR4q65F3ZfFxY5GOsEtvtiSROj7Jcr/TIi+iA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1azmxsw5llmp2nnsv3yc2l8paelmq9rfepxd8jvmswgsmax0qyyxqdnsc7t
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHcTB2eGRUM0gxa3QyTG9y
eW0xVmg2UHRmdGRPT1U5a1crZVJCR1o3YVVzCm9uTmg4aUF4TXkrdFB2eDVENkNx
YWtqU3pEZzhnU3BocUdzbTYzaTVhR28KLS0tIGxDZGoxcmhHVHdQOHZDd1M0Si94
bThMeHp6Zm55RG9MTTd2ajVxdTZtN0UKedZQO8bhfzCz1Nq4ajFq5zw0fTS4jN0K
nJ56i0J+T6rOx+iS8V2tfsf4eEbWT5cxio2RvaDQs3X+t4Agg4QNVQ==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDY0pvTEhPVnY3U3BrNENl
NTE3S0NHQmVMRFc4b0VoRXp1ZEtkZnBseGtNCjc1ZWhDeWZmZHR1cHYyaEFGQm00
dXE1WXZFd3FzcEJpSzcrQ2x2LzNUUkkKLS0tIGhhRW9RNk5Da21JdElMd1kyd1RQ
VVVrYUJmamdnU1BZK09qN2pqWWZyV2sKXu0CGOeSxi8KXvJbZ85KlmhYez7LflaA
PPiJbrbvVLR5Ui18zOZFAUewqKANTS15ut75V3rUoa2JVeSfpi617g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1zkzpnfeakyvg3fqtyay32sushjx2hqe28y6hs6ss7plemzqjqa5s6s5yu3
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFR1dvU3JGRFZYMzlqN1BS
YmNyb2xibWZVYTluSlhpTExIYkRvVnhlcDAwCnAvbTJYblFTZmNMaVVOQ21mL0hY
aE56czFXY2tJa3BLemtYQXFleWtrVHcKLS0tIEZ6WjdrK01haFk2L3VsS0RDSFdm
K2JzcFl4ZUZseFcwdmo0YmpBNXVQV1UKdFHcxBWuYApHcqkwzG++tQcW6Y6Vn7W7
E4dZXed5h+CkLRBTUKMLPD+Lh55odSoOfJBL3OrqUGQT0Wj0Zv6BnA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQN0JLWlFLRUdkT0Z4MmlF
R2pMNktUR1BPNG0xdmp5VGVKcFVCYW1iZldzCjBXdXFlaVRVYmNYU2FKb0I2WXp5
V21YTUxWTytTbUZ6OGVoaVhaZjlNKzAKLS0tIGlrRGVtUjM5OUNUZkxtcE5RcFBF
VGJ0V0YwS08zQW1Ua0dESmtWNjNZbGsKQ2eAGtCydscSQvLfHBxtUJyPgxNymWyT
wcMty732aWZw/uroJYYcrlfTm3q5Qs4+1mT57sxGBiL2XE6ruWdKgg==
-----END AGE ENCRYPTED FILE-----
- recipient: age14uarclad0ty5supc8ep09793xrnwkv8a4h9j0fq8d8lc92n2dadqkf64vw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNS3RIUm16OWF4ZTUzWC9l
NTdMYTg5ejZENFlSdDlreFRuaU1sT3pxR1VjCnloZkNpVEM5V1h4Y2QxMWhkT2xq
NkdiM1YzRkpweFY3QzBtNFgzT3hyU2MKLS0tIEhtenk5UlJGMTVmSzEvdlAyRDIr
YWd5dnZwSlp0T0lzOXJtRUlXWTUvRFkK12z9jv5v65LTpD2opIEQ/FlNPjyIGyo1
VKLaPg0MSIDxtqNZ8RSzWrRev+7VAlCZCWGtIrqtkABeRIHY0Qassw==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkN0R6Y3JPS2tRcnB0VFBo
YzNNaVhodERUcnlTTmtNc2tzcy8yS0x5R0RBCmJtb2RMMkFjdUd3OUc2MFZoZnU4
M0hGUW5YU000c09zR1hHZUs3cUVqOTgKLS0tIEFsVENreWcrZCtiNjg1YS9hVHpQ
WGVNNVZOV0JNQllpUnNSdHJiTDdOWFkKcwPzK8difry1xwjHZkOLDNcUaPUd1RCo
QeW8SPusotYscSQmVckxOUppdhpewF95isfCdoy4JtVulkNQCOJJVg==
-----END AGE ENCRYPTED FILE-----
- recipient: age1wq82xjyj80htz33x7agxddjfumr3wkwh3r24tasagepxw7ka893sau68df
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGS2QyZFA5cmY1YjNnSzZX
SnM3M21mY0FHZXpLS3d0Zk5XUC9VVFFzWmlRCjFVU2Z1TjJNYmFRUVB1NHYvM1p3
ZWxzN0NTdXJ6TlFtSzJFcUtzYWF4YXcKLS0tIHhlVCthYVJqa2xYbmE4YzVLZTht
cE51bExUMzloUnpSUS8zRm9QTjBIODgKaSaWFxjDn9jmEu2B35AyVJVDtI/2WT31
NuyhLAn3kE79MsT1CAE5HTTilmcKi9n8gULjv6ii1Nd+F6MUfBmmBA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkRHMrMDdLSEhLUjliblhB
WUFZTUkrOEFnRkl5a21RaXhoMnJRc3lDRldvCk4wZ1ZJaXRxaEVNYTVwOFZVcUNH
cDl6QThwTVhXMVdRY3h4R0hXSDJDLzAKLS0tIEppRFJMK2Y3dDZ2eTZPblNxQnA2
S1hyR1VxNFJkRnp0aDI0aUR1cHI1bGcKVVpd18ll/IsHjYajG4ziu1jfn5px+I/y
s2eWJY9CAHAFStl0MV8AoBWpZ+KoeMbBDZ1HXwK8UBZhCsjm0nnyfw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-11-09T07:12:13Z"
mac: ENC[AES256_GCM,data:gqsD5gTtE5ZqWzWKAAIscecvIsGSC9j4Cnbik6Yk7Jf7Z5/NIxbkInzDsLmlU3ObbLZAhGAlOAKIrUVy37rCcEZ+I04ICXK1dmUdsVud6E4SvTdDjh9qlXTbEkcDCY2YqXlTuQl6IZyveaPuF6fRe1FMh8JEpDv/foZTl8+AuQQ=,iv:+nV6YW9m1B0qo7xbB1lw9dgiQ877GQ6OxMqjk7lei10=,tag:NmeSwBWRKpqlwZxYYC7trg==,type:str]

2
utils/overlays/packages.nix
View File

@@ -3,5 +3,7 @@ self: super: {
ykfde = (super.callPackage ../pkgs/ykfde { });
sysbox = (super.callPackage ../pkgs/sysbox.nix { });
omada = (super.callPackage ../pkgs/omada.nix { });
creality-print = (super.callPackage ../pkgs/creality-print.nix { });
openaudible = (super.callPackage ../pkgs/openaudible.nix { });
wow-addon-manager = (super.callPackage ../pkgs/wow-addon-manager { });
}

15
utils/pkgs/creality-print.nix Normal file
View File

@@ -0,0 +1,15 @@
{ appimageTools, fetchurl }:
let
pname = "creality-print";
version = "4.3.7.6627";
src = fetchurl {
url = "https://file2-cdn.creality.com/file/05a4538e0c7222ce547eb8d58ef0251e/Creality_Print-v4.3.7.6627-x86_64-Release.AppImage";
# nix-prefetch-url --type sha256 --name Creality_Print-v4.3.7.6627-x86_64-Release.AppImage https://file2-cdn.creality.com/file/05a4538e0c7222ce547eb8d58ef0251e/Creality_Print-v4.3.7.6627-x86_64-Release.AppImage
# nix-hash --type sha256 --to-sri
sha256 = "sha256-WUsL7UbxSY94H4F1Ww8vLsfRyeg2/DZ+V4B6eH3M6+M=";
};
in
appimageTools.wrapType2 {
inherit pname version src;
}

16
utils/pkgs/openaudible.nix Normal file
View File

@@ -0,0 +1,16 @@
{ appimageTools, fetchurl }:
let
pname = "openaudible";
version = "4.4.3";
src = fetchurl {
url = "https://github.com/openaudible/openaudible/releases/download/v${version}/OpenAudible_${version}_x86_64.AppImage";
# nix-prefetch-url --type sha256 --name Creality_Print-v4.3.7.6627-x86_64-Release.AppImage https://file2-cdn.creality.com/file/05a4538e0c7222ce547eb8d58ef0251e/Creality_Print-v4.3.7.6627-x86_64-Release.AppImage
# nix-hash --type sha256 --to-sri
sha256 = "sha256-iTxN+SSGddbddtcqx2u69kEJYtSCLW7DOxu0HDYHfz0=";
};
in
appimageTools.wrapType2 {
inherit pname version src;
extraPkgs = pkgs: [ pkgs.webkitgtk pkgs.glib-networking ];
}