diff --git a/.sops.yaml b/.sops.yaml index 9746bad..99fcf13 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -64,6 +64,13 @@ creation_rules: - *dominik - *dominik2 - *ldap-server-arm + - path_regex: hosts/fw/modules/web/[^/]+\.yaml$ + key_groups: + - age: + - *bitwarden + - *dominik + - *dominik2 + - *web-02 - path_regex: utils/modules/lego/[^/]+\.yaml$ key_groups: - age: diff --git a/hosts/fw/modules/dnsmasq.nix b/hosts/fw/modules/dnsmasq.nix index f41f098..1104f1d 100644 --- a/hosts/fw/modules/dnsmasq.nix +++ b/hosts/fw/modules/dnsmasq.nix @@ -90,7 +90,8 @@ address = [ "/fw.cloonar.com/${config.networkPrefix}.97.1" "/omada.cloonar.com/${config.networkPrefix}.97.2" - "/pc.cloonar.com/${config.networkPrefix}.96.5" + "/web-02.cloonar.com/${config.networkPrefix}.97.5" + "/phpldapadmin.cloonar.com/${config.networkPrefix}.97.5" "/home-assistant.cloonar.com/${config.networkPrefix}.97.20" "/mopidy.cloonar.com/${config.networkPrefix}.97.21" "/snapcast.cloonar.com/${config.networkPrefix}.97.21" diff --git a/hosts/fw/modules/web/default.nix b/hosts/fw/modules/web/default.nix index 3fcfad8..4957903 100644 --- a/hosts/fw/modules/web/default.nix +++ b/hosts/fw/modules/web/default.nix @@ -54,6 +54,7 @@ in { ../../utils/modules/lego/lego.nix # ../../utils/modules/borgbackup.nix + ./phpldapadmin.nix ./zammad.nix ./proxies.nix ./matrix.nix @@ -61,6 +62,9 @@ in { networkPrefix = config.networkPrefix; + sops.age.sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ]; + sops.defaultSopsFile = ./secrets.yaml; + time.timeZone = "Europe/Vienna"; systemd.network.networks."10-lan" = { @@ -116,10 +120,6 @@ in { # backups # borgbackup.repo = "u149513-sub2@u149513-sub2.your-backup.de:borg"; - - sops.age.sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ]; - sops.defaultSopsFile = ./secrets.yaml; - networking.firewall = { enable = true; allowedTCPPorts = [ 22 80 443 ]; diff --git a/hosts/fw/modules/web/phpldapadmin.nix b/hosts/fw/modules/web/phpldapadmin.nix new file mode 100644 index 0000000..76023ca --- /dev/null +++ b/hosts/fw/modules/web/phpldapadmin.nix @@ -0,0 +1,95 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + phpldapadmin = pkgs.callPackage ../../pkgs/phpldapadmin.nix {}; + fpm = config.services.phpfpm.pools.phpldapadmin; + stateDir = "/var/lib/phpldapadmin"; + domain = "phpldapadmin.cloonar.com"; +in +{ + + users.users.phpldapadmin = { + description = "PHPLdapAdmin Service"; + home = stateDir; + useDefaultShell = true; + group = "phpldapadmin"; + isSystemUser = true; + }; + + users.groups.phpldapadmin = { }; + + sops.secrets.phpldapadmin.owner = "phpldapadmin"; + + environment.etc."phpldapadmin/env".source = config.sops.secrets.phpldapadmin.path; + + services.nginx = { + enable = true; + virtualHosts = { + "${domain}" = { + forceSSL = true; + enableACME = true; + acmeRoot = null; + root = stateDir; + locations."/" = { + root = "${phpldapadmin}/public"; + index = "index.php"; + extraConfig = '' + location ~* \.php(/|$) { + fastcgi_split_path_info ^(.+\.php)(/.+)$; + fastcgi_pass unix:${fpm.socket}; + + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $fastcgi_path_info; + + include ${pkgs.nginx}/conf/fastcgi_params; + include ${pkgs.nginx}/conf/fastcgi.conf; + } + ''; + }; + }; + }; + }; + + environment.etc.nginx_allowed_groups = { + text = "employees"; + mode = "0444"; + }; + + security.pam.services.nginx.text = '' + # auth required pam_listfile.so \ + # item=group sense=allow onerr=fail file=/etc/nginx_allowed_groups + auth required ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so + account required ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so + ''; + + services.phpfpm.pools.phpldapadmin = { + user = "phpldapadmin"; + phpOptions = '' + error_log = 'stderr' + log_errors = on + ''; + settings = mapAttrs (name: mkDefault) { + "listen.owner" = "nginx"; + "listen.group" = "nginx"; + "listen.mode" = "0660"; + "pm" = "dynamic"; + "pm.max_children" = 75; + "pm.start_servers" = 2; + "pm.min_spare_servers" = 1; + "pm.max_spare_servers" = 20; + "pm.max_requests" = 500; + "catch_workers_output" = true; + }; + phpEnv."PATH" = pkgs.lib.makeBinPath [ + pkgs.which + phpldapadmin + ]; + }; + + systemd.tmpfiles.rules = [ + "d '${stateDir}' 0750 phpldapadmin phpldapadmin - -" + ]; + +} diff --git a/hosts/fw/modules/web/secrets.yaml b/hosts/fw/modules/web/secrets.yaml index db256f4..23eb14d 100644 --- a/hosts/fw/modules/web/secrets.yaml +++ b/hosts/fw/modules/web/secrets.yaml @@ -3,32 +3,46 @@ borg-ssh-key: ENC[AES256_GCM,data:b/xZnUTfi85IG1s897CBF1HD7BTswQUatbotyZfLmbhxXx zammad-key-base: ENC[AES256_GCM,data:HO9MuwcwjryuXr5No8sCPfso5bpLtQCoczrC/R214ecVIFwwH1uhMeNO8Tlh6EjRLPo7aVTSz87Vx5yaNVezvHCs55G6TT9mcNS/v/V7sbFz9dNIgbFblY3gFIAa4cViioYc71wdb7d4Tta7qhse5zQ41KhAqCWuGDgFErQA4Oc=,iv:b1wY8fW0psircSlNXwDjPzNWK8NyAMNqegitNcqV6U4=,tag:oQ7nyO9TKOOu6IF7ODzpPA==,type:str] dendrite-private-key: ENC[AES256_GCM,data:ZHDIa/iYSZGofE67JU63fHRdKbs/ZyEJY45tV6H8WZAOcduGafPYBo2NCZ7nqLbc2Z9dUUgsrpzvkQ3+VaWqFUv7YsE+CbCx4CeiLGMkj8EAGzX4rkJGHMzkkc2UT7v9znCnKACS3fZtU69trqVMcf1PzgqepOHMBku37dzpwOQC/Tc3UTuO72M=,iv:Ljun1/ruY9cDBm9vu62riUrpGjrWtFFx90GeE7uc3Yo=,tag:FF4xPb1SDhK/4ITr/idvYg==,type:str] matrix-shared-secret: ENC[AES256_GCM,data:HeS4PT0R+TRU6Htwa5TChjK1VAjAdgSS8tSnva+ga3f+mEfJPTQ02pEvS2WFvcnchmEjNYy39zL/rbtX,iv:4yR+VgdJY3VcvLg18v+5jbJDSkFzaeyLNAZ0k8ivjdQ=,tag:RA96iSFDUdlXq30c/vkvpA==,type:str] +phpldapadmin: ENC[AES256_GCM,data:CJBFQfi0qJmPQcxPcneHcXFsIku0a+xdv7rmrKzC0XsBcn3N/dP8cGBbkC/GcH2OWBhRWFNFm0GOEALbJa/1z/hFxbxn1QJlfglglaXHNjiwJqND51GmNzd+5GJ39RHR7w06fVABgCrDM60DChJLy0Iql/eCITYhZUGpoLd4I+fKXy9zggVIzAA3tTYziJNuaBQuMe/i8V8AIt0DBefrEBITyl3wi/+Y4utLXiEUPOWPGCYfS+Xp7LcHiTJ2rZzwKJjYPiPs+7UYx2IsT2+ksJtSHR0+ibUHXNzebBTmAZ3+YBoyeBvdw2VmsgJeCUTC2SLnBAsR4J3AoSDQcZ0XrHq2oIzZC/Mf5g==,iv:iHx495CM8LHqrsiNPwzFXZQxWJZ5kCgWYvgwirjy7Uw=,tag:c7FvYuYzYjqH/Bqs7FbMzA==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] age: + - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZmRBZm8wL3ZQdUZMSjRG + cnFWTjNhc2gvd3pURkdjdEpZdUE2ZE9nVFdnCnEvRGlScFJVUGZRenV3VXI5cU85 + NkZ6clplbzZnR1ZWY0YvMy84WWRiMUEKLS0tIHliOE9KYTdlUlFEb2NuRE0yYWJm + OEhCZmphWVVjU3k1VHRDMnJWTUpQQVUK1M7fgK+d/KlbTzvt9CKj6cGgzZ+vwsfE + zqUbyJ/5UpmrU/3kQMxBMBmb8HsA8b/1itzOn4F54SF1Xm7CFDLTUQ== + -----END AGE ENCRYPTED FILE----- - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoUWdTYlRjWDJvemF5Q2sr - VCtrS2dTTGRwUlNIWHd0WkVCRkRMcGhuTzE0ClNic1FmQ05UNWQwbGc4TUFMNGlI - K0RhK2pqUGY3UElmK1pNUEkxV2xGUTQKLS0tIFRORE9JTDRZK0MwZUJoc2xlcHFH - bmp3ZW14TVdCMHhkSi84NE5neDdrY3cKYfgu7aqvG6wQmEFhmzieXFGoQpyffPXj - jiHrAPjBBFy21wdYf0nQXNMzekqOMJwOj0oNA2b5omprPxjB9uns4Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwaEpvdkdvSHZQTXZXbXZa + ckZrTW9qNW9SMzN2TkVaZTRlT1NKSm56Q1JzCnIxY1k3Q2VjTy9OSlZPbEZkVDBi + UWVCRHE5bWlDaVEyWERXeUdsL1BFYkUKLS0tIEhoK05uMVpzYXJFZHBRcDlZb296 + YWRTZmljUTJEQW5lUzdMa3N0Y045MlUK0lAs4L5D0DIKuxuHJmGbOu6SX1Y4KNJo + VsgVUd9wU9r/ApoiaicAPNn0jyH3B8sGk1JGtrisL5eldc6Z5phR4g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVEdRWkR4YzJNU2Z3ZW9t + VGNHM3gxZUM0SDlaMzBleHU3a3lsZ1M0dlNJCnF3R1JtUUZCZE9CV2NUVG9la2I5 + R0hadEw2RldTS3J3cDdDQkp0OG4vZmsKLS0tIHl4UVpBejlFbkRycEZjSTNyditY + S3VRckhkNGRzR0VOOVBaRmZCT1lxM0kKThIJN/jw3tjaqaf1C5s6+K5BMBrMer2z + YNhhar3iomZbWvwJ5OW4dneU9p0drrcl5LR9tSAoTiSxIbfBZf+d0A== -----END AGE ENCRYPTED FILE----- - recipient: age1gjm4c3swt8u88e36gf2qlg3syxfc0ly94u64c42f2tsf24npw4csa6e4fw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUjQxWnBMQXo3QmF1STUw - bHh1NDhvQXZIQ2RiOUx5OU5Wc3BVSEJDUEZVCmVzeFk5SWpMbVV4VUdsRmhiaWwz - bTJDY1pJRXJvNUdCSXJqQ3Byd3lWN2sKLS0tIHRKdXRNc1BYcURBRVNlenk1OEl3 - Q05BN0VnQ0haeHBobWhRV0EzL3dLSEkKWlALiX5mvG8y0WUc8yFWMbcpSRrSGoQx - SHaOlDCjYvViZ7GPRLqnSwDGZ1clC6JsTbwKXrMsWdZBKvSO/VIWQw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzOEhSaklkdnJoY0dOU3dt + T1lyVVdVZ1VoRmQ4RURPN1ZjYWhPeU01T2gwCjFmbHZ3SThub2psTjBHOWk3M0hP + WFk2RXFnM3AzSHhraEJmRmxWZzRFVE0KLS0tIDdteWVZKzJVNXdyZDJTbE43Zldr + WDdHb1I5dVFCcHJ0ejVhOXFIb1pKRlUKkCS05OVL7xvkZ1oh16GTCnateuXao9ZK + 6sMZ7/c9tafLH52psnjeUEJK15Bw8DihFjFctyIh242j8TtXXqxBYg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-14T16:53:41Z" - mac: ENC[AES256_GCM,data:DUi6zUrZBMVaYZ/BvWny7RwPgXe+vQ+odO30fGe8iZHj9d3gzB95F75CqIgENi4gVOA4CQDADE+p45z/mtl04HAh7RiT0/k21RSdQcH2W9AX525fOzeqbxbPA/tXJOctwGrytFwlK9UdJULXkJCwYrJnwNc0XPnBk1FodTykXWs=,iv:q/eapgTVL/rifrrZeIcXT5VO9bEoS4EmmEhYJ2xHvQ4=,tag:xb0Qj/wu17cLTkvefsDqiw==,type:str] - pgp: [] + lastmodified: "2025-06-10T11:35:59Z" + mac: ENC[AES256_GCM,data:1r8IFSyvVmwSR9j9DROAbN6GmnQo8cg+Z1wCvg2hv/lql5FbeLgFUvVHYQvPGJK6cRUTM+7T010AZOZSWKJM2K3KqiinWLdVVM1G1Bvhv8T4epL2RHq65OgMd5jJFrMLYoyJmHUp3AkzlPeYJDtrvxGCB5B88H1L+ifZtV0pKJQ=,iv:uOnWxuPiPJkmc+wBf4EYihTLeugcyM4MX4AkYncfAFg=,tag:HWHGROye6YMR/cLm/C2G1Q==,type:str] unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.10.2 diff --git a/hosts/fw/pkgs/phpldapadmin.nix b/hosts/fw/pkgs/phpldapadmin.nix new file mode 100644 index 0000000..2a0bf15 --- /dev/null +++ b/hosts/fw/pkgs/phpldapadmin.nix @@ -0,0 +1,36 @@ +{ fetchurl, lib, stdenv, nodejs_24, php, phpPackages }: + +stdenv.mkDerivation rec { + pname = "phpLDAPadmin"; + version = "2.1.4"; + + src = fetchurl { + url = "https://github.com/leenooks/phpLDAPadmin/archive/${version}.tar.gz"; + sha256 = "sha256-hkigC458YSgAZVCzVznix8ktDBuQm+UH3ujXn9Umylc="; + }; + + # Pull in PHP itself and Composer + buildInputs = [ php nodejs_24 ]; + nativeBuildInputs = [ phpPackages.composer ]; + + # Let composer do its work + buildPhase = '' + # install all PHP dependencies into vendor/ + npm i + npm run prod + composer i --no-dev + ''; + + installPhase = '' + mkdir -p $out + # copy everything—including the newly created vendor/ directory + cp -r . $out/ + ln -sf /etc/phpldapadmin/env $out/.env + ''; + + meta = { + description = "phpLDAPadmin"; + license = lib.licenses.gpl3; + platforms = lib.platforms.all; + }; +} diff --git a/hosts/mail/modules/openldap.nix b/hosts/mail/modules/openldap.nix index 70fbd89..2fbd175 100644 --- a/hosts/mail/modules/openldap.nix +++ b/hosts/mail/modules/openldap.nix @@ -55,20 +55,28 @@ in { by * none '' '' - {1}to attrs=loginShell + {1}to attrs=pgpPublicKey + by self write + by anonymous read + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + '' + {2}to attrs=loginShell by self write by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * none '' '' - {2}to dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" + {3}to dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * none '' '' - {3}to * + {4}to * by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by dn="cn=admin,dc=cloonar,dc=com" write by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write @@ -123,7 +131,15 @@ in { by * none '' '' - {1}to * + {1}to attrs=pgpPublicKey + by self write + by anonymous read + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + '' + {2}to * by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read @@ -160,7 +176,15 @@ in { by * none '' '' - {1}to * + {1}to attrs=pgpPublicKey + by self write + by anonymous read + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + '' + {2}to * by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read @@ -198,7 +222,15 @@ in { by * none '' '' - {1}to * + {1}to attrs=pgpPublicKey + by self write + by anonymous read + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + '' + {2}to * by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read @@ -236,7 +268,15 @@ in { by * none '' '' - {1}to * + {1}to attrs=pgpPublicKey + by self write + by anonymous read + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + '' + {2}to * by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read @@ -274,7 +314,15 @@ in { by * none '' '' - {1}to * + {1}to attrs=pgpPublicKey + by self write + by anonymous read + by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read + by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write + by * read + '' + '' + {2}to * by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write by * read @@ -299,7 +347,7 @@ in { (1.3.6.1.4.1.28298.1.2.4 NAME 'cloonarUser' SUP (mailAccount) AUXILIARY DESC 'Cloonar Account' - MAY (sshPublicKey $ ownCloudQuota $ quota)) + MAY (sshPublicKey $ pgpPublicKey $ ownCloudQuota $ quota)) '' ]; }; @@ -374,14 +422,22 @@ in { EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) '' + '' + (1.3.6.1.4.1.24552.500.1.1.1.14 + NAME 'pgpPublicKey' + DESC 'PGP/GPG Public key' + EQUALITY octetStringMatch + SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 ) + '' ]; olcObjectClasses = [ '' (1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' SUP top AUXILIARY - DESC 'MANDATORY: OpenSSH LPK objectclass' - MUST ( sshPublicKey $ uid )) + DESC 'SSH and PGP Public Key Support' + MUST ( uid ) + MAY ( sshPublicKey $ pgpPublicKey )) '' ]; }; diff --git a/hosts/nb/configuration.nix b/hosts/nb/configuration.nix index cb5feb6..59307d2 100644 --- a/hosts/nb/configuration.nix +++ b/hosts/nb/configuration.nix @@ -12,17 +12,15 @@ in { security.pki.certificates = [ "/home/dominik/.local/share/mkcert/rootCA.pem" ]; imports = - [ # Include the results of the hardware scan. + [ "${impermanence}/nixos.nix" - # (import ).nixosModules.default ./utils/bento.nix ./utils/modules/sops.nix ./utils/modules/nur.nix ./modules/appimage.nix ./modules/desktop - ./modules/development/default.nix - # ./modules/printer.nix + ./modules/development # ./modules/cyberghost.nix ./utils/modules/autoupgrade.nix ./modules/puppeteer.nix @@ -30,19 +28,14 @@ in { ./modules/ollama.nix ./modules/qdrant.nix - # ./modules/development - ./cachix.nix ./users - # coding - # ./modules/steam.nix ./modules/fingerprint.nix - ./modules/set-nix-channel.nix # Automatically manage nix-channel from /var/bento/channel + ./modules/set-nix-channel.nix ./hardware-configuration.nix - ]; # services.snap.enable = true; @@ -173,7 +166,6 @@ in { networking.networkmanager.enable = true; # Easiest to use and most distros use this by default. networking.extraHosts = '' 77.119.230.30 vpn.cloonar.com - 10.25.0.25 archive.zeichnemit.at ''; # Set your time zone. @@ -188,20 +180,7 @@ in { environment.systemPackages = with pkgs; [ alsa-utils - bento - docker-compose - drone-cli - git-filter-repo - nix-prefetch-git - openaudible - openmanus - unzip - vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default. - wget - wireguard-tools - wineWowPackages.stable - wineWowPackages.fonts - winetricks + sshpass pinentry-curses # ykfde ]; @@ -258,6 +237,8 @@ in { # epicenter.works "10.14.0.0/16" "10.25.0.0/16" + "188.34.191.144/32" # web-arm + "91.107.201.241" # mail ]; endpoint = "vpn.cloonar.com:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577 persistentKeepalive = 25; @@ -283,7 +264,7 @@ in { # autoOptimiseStore = true; gc = { automatic = true; - dates = "weekly"; + dates = "daily"; options = "--delete-older-than 30d"; }; # Free up to 1GiB whenever there is less than 100MiB left. diff --git a/hosts/nb/modules/desktop/default.nix b/hosts/nb/modules/desktop/default.nix index c0ec148..b42f598 100644 --- a/hosts/nb/modules/desktop/default.nix +++ b/hosts/nb/modules/desktop/default.nix @@ -1,8 +1,5 @@ { config, pkgs, lib, ... }: let - apache-ds-pin = import (builtins.fetchTarball { - url = "https://github.com/NixOS/nixpkgs/archive/9aec01027f7ea2bca07bb51d5ed83e78088871c1.tar.gz"; - }) {}; in { imports = [ ../sway/sway.nix @@ -16,7 +13,7 @@ in { environment.systemPackages = with pkgs; [ alacritty - apache-ds-pin.apache-directory-studio + apache-directory-studio cryptomator fontforge freecad diff --git a/hosts/nb/modules/development/default.nix b/hosts/nb/modules/development/default.nix index b1e58b2..670ec19 100644 --- a/hosts/nb/modules/development/default.nix +++ b/hosts/nb/modules/development/default.nix @@ -13,27 +13,38 @@ in { ./nvim/default.nix ]; environment.systemPackages = with pkgs; [ - ddev - gcc - git - glib - go - nodejs_22 - rbw bento + ddev docker-compose drone-cli + gcc + git git-filter-repo - nix-prefetch-git + glib + go jq mkcert mqttui + nix-prefetch-git + nodejs_22 + rbw + sops + unzip vim wget wireguard-tools - unzip wol ]; virtualisation.docker.enable = true; + + virtualisation.libvirtd = { + enable = true; # Turn on the libvirtd daemon + qemu = { + ovmf = { + enable = true; # Enable OVMF firmware support + }; + # swtpm.enable = true; # enable if you need TPM emulation, etc. + }; + }; } diff --git a/hosts/nb/users/configs/project_history b/hosts/nb/users/configs/project_history index c2a00fb..9af5e08 100644 --- a/hosts/nb/users/configs/project_history +++ b/hosts/nb/users/configs/project_history @@ -9,6 +9,7 @@ /home/dominik/projects/cloonar/cloonar-assistant-customers /home/dominik/projects/cloonar/updns /home/dominik/projects/cloonar/mcp-servers-nix +/home/dominik/projects/cloonar/ldap2vcard /home/dominik/projects/cloonar/flow/flow-docs /home/dominik/projects/cloonar/flow/flow-user-service diff --git a/hosts/nb/users/dominik.nix b/hosts/nb/users/dominik.nix index 7b867e8..a66dba0 100644 --- a/hosts/nb/users/dominik.nix +++ b/hosts/nb/users/dominik.nix @@ -606,6 +606,7 @@ in git clone gitea@git.cloonar.com:Cloonar/cloonar-assistant-customers.git ${persistHome}/projects/cloonar/cloonar-assistant-customers 2>/dev/null git clone gitea@git.cloonar.com:Cloonar/updns.git ${persistHome}/projects/cloonar/updns 2>/dev/null git clone git@github.com:dpolakovics/mcp-servers-nix.git ${persistHome}/cloonar/mcp-servers-nix 2>/dev/null + git clone gitea@git.cloonar.com:Cloonar/ldap2vcard.git ${persistHome}/projects/cloonar/ldap2vcard 2>/dev/null git clone gitea@git.cloonar.com:Cloonar/flow-docs.git ${persistHome}/projects/cloonar/flow/flow-docs 2>/dev/null git clone gitea@git.cloonar.com:Cloonar/flow-user-service.git ${persistHome}/projects/cloonar/flow/flow-user-service 2>/dev/null diff --git a/hosts/web-arm/sites/dialog-relations.cloonar.dev.nix b/hosts/web-arm/sites/dialog-relations.cloonar.dev.nix index 9c1bf20..b44fc07 100644 --- a/hosts/web-arm/sites/dialog-relations.cloonar.dev.nix +++ b/hosts/web-arm/sites/dialog-relations.cloonar.dev.nix @@ -5,6 +5,6 @@ authorizedKeys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG1jkPi2LbnzP5hM4Mpt6rh+Vq5pTe63+zS3QvVyA4Ma" ]; - phpPackage = pkgs.php83; + phpPackage = pkgs.php84; }; } diff --git a/hosts/web-arm/sites/dialog-relations.pub b/hosts/web-arm/sites/dialog-relations.pub deleted file mode 100644 index b3433b2..0000000 --- a/hosts/web-arm/sites/dialog-relations.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG1jkPi2LbnzP5hM4Mpt6rh+Vq5pTe63+zS3QvVyA4Ma dominik@nb-01 diff --git a/hosts/web-arm/sites/paraclub.at.nix b/hosts/web-arm/sites/paraclub.at.nix index d108d2f..cec6869 100644 --- a/hosts/web-arm/sites/paraclub.at.nix +++ b/hosts/web-arm/sites/paraclub.at.nix @@ -23,7 +23,7 @@ in { locations."/".extraConfig = '' index index.html; - error_page 404 /404.html; + error_page 404 /de/404.html; ''; locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''