.sops.yaml

@@ -64,13 +64,6 @@ creation_rules:
       - *dominik
       - *dominik2
       - *ldap-server-arm
-  - path_regex: hosts/fw/modules/web/[^/]+\.yaml$
-    key_groups:
-    - age:
-      - *bitwarden
-      - *dominik
-      - *dominik2
-      - *web-02
   - path_regex: utils/modules/lego/[^/]+\.yaml$
     key_groups:
     - age:

hosts/fw/modules/dnsmasq.nix

@@ -90,8 +90,7 @@
       address = [
         "/fw.cloonar.com/${config.networkPrefix}.97.1"
         "/omada.cloonar.com/${config.networkPrefix}.97.2"
-        "/web-02.cloonar.com/${config.networkPrefix}.97.5"
+        "/pc.cloonar.com/${config.networkPrefix}.96.5"
-        "/phpldapadmin.cloonar.com/${config.networkPrefix}.97.5"
         "/home-assistant.cloonar.com/${config.networkPrefix}.97.20"
         "/mopidy.cloonar.com/${config.networkPrefix}.97.21"
         "/snapcast.cloonar.com/${config.networkPrefix}.97.21"

hosts/fw/modules/web/default.nix

@@ -54,7 +54,6 @@ in {
           ../../utils/modules/lego/lego.nix
           # ../../utils/modules/borgbackup.nix
 
-          ./phpldapadmin.nix
           ./zammad.nix
           ./proxies.nix
           ./matrix.nix
@@ -62,9 +61,6 @@ in {
 
         networkPrefix = config.networkPrefix;
 
-        sops.age.sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ];
-        sops.defaultSopsFile = ./secrets.yaml;
-
         time.timeZone = "Europe/Vienna";
 
         systemd.network.networks."10-lan" = {
@@ -120,6 +116,10 @@ in {
         # backups
         # borgbackup.repo = "u149513-sub2@u149513-sub2.your-backup.de:borg";
 
+
+        sops.age.sshKeyPaths = [ "/persist/etc/ssh/ssh_host_ed25519_key" ];
+        sops.defaultSopsFile = ./secrets.yaml;
+
         networking.firewall = {
           enable = true;
           allowedTCPPorts = [ 22 80 443 ];

hosts/fw/modules/web/phpldapadmin.nix

@@ -1,95 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with lib;
-
-let
-  phpldapadmin = pkgs.callPackage ../../pkgs/phpldapadmin.nix {};
-  fpm = config.services.phpfpm.pools.phpldapadmin;
-  stateDir = "/var/lib/phpldapadmin";
-  domain = "phpldapadmin.cloonar.com";
-in
-{
-
-  users.users.phpldapadmin = {
-    description = "PHPLdapAdmin Service";
-    home = stateDir;
-    useDefaultShell = true;
-    group = "phpldapadmin";
-    isSystemUser = true;
-  };
-
-  users.groups.phpldapadmin = { };
-
-  sops.secrets.phpldapadmin.owner = "phpldapadmin";
-
-  environment.etc."phpldapadmin/env".source = config.sops.secrets.phpldapadmin.path;
-
-  services.nginx = {
-    enable = true;
-    virtualHosts = {
-      "${domain}" = {
-        forceSSL = true;
-        enableACME = true;
-        acmeRoot = null;
-        root = stateDir;
-        locations."/" = {
-          root = "${phpldapadmin}/public";
-          index = "index.php";
-          extraConfig = ''
-            location ~* \.php(/|$) {
-              fastcgi_split_path_info ^(.+\.php)(/.+)$;
-              fastcgi_pass unix:${fpm.socket};
-
-              fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-              fastcgi_param PATH_INFO       $fastcgi_path_info;
-
-              include ${pkgs.nginx}/conf/fastcgi_params;
-              include ${pkgs.nginx}/conf/fastcgi.conf;
-            }
-          '';
-        };
-      };
-    };
-  };
-
-  environment.etc.nginx_allowed_groups = {
-    text = "employees";
-    mode = "0444";
-  };
-
-  security.pam.services.nginx.text = ''
-    # auth    required     pam_listfile.so \
-    #                      item=group sense=allow onerr=fail file=/etc/nginx_allowed_groups
-    auth    required     ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
-    account required     ${pkgs.nss_pam_ldapd}/lib/security/pam_ldap.so
-  '';
-  
-  services.phpfpm.pools.phpldapadmin = {
-    user = "phpldapadmin";
-    phpOptions = ''
-      error_log = 'stderr'
-      log_errors = on
-    '';
-    settings = mapAttrs (name: mkDefault) {
-      "listen.owner" = "nginx";
-      "listen.group" = "nginx";
-      "listen.mode" = "0660";
-      "pm" = "dynamic";
-      "pm.max_children" = 75;
-      "pm.start_servers" = 2;
-      "pm.min_spare_servers" = 1;
-      "pm.max_spare_servers" = 20;
-      "pm.max_requests" = 500;
-      "catch_workers_output" = true;
-    };
-    phpEnv."PATH" = pkgs.lib.makeBinPath [
-      pkgs.which
-      phpldapadmin
-    ];
-  };
-
-  systemd.tmpfiles.rules = [
-    "d '${stateDir}' 0750 phpldapadmin phpldapadmin - -"
-  ];
-
-}

hosts/fw/modules/web/secrets.yaml

@@ -3,46 +3,32 @@ borg-ssh-key: ENC[AES256_GCM,data:b/xZnUTfi85IG1s897CBF1HD7BTswQUatbotyZfLmbhxXx
 zammad-key-base: ENC[AES256_GCM,data:HO9MuwcwjryuXr5No8sCPfso5bpLtQCoczrC/R214ecVIFwwH1uhMeNO8Tlh6EjRLPo7aVTSz87Vx5yaNVezvHCs55G6TT9mcNS/v/V7sbFz9dNIgbFblY3gFIAa4cViioYc71wdb7d4Tta7qhse5zQ41KhAqCWuGDgFErQA4Oc=,iv:b1wY8fW0psircSlNXwDjPzNWK8NyAMNqegitNcqV6U4=,tag:oQ7nyO9TKOOu6IF7ODzpPA==,type:str]
 dendrite-private-key: ENC[AES256_GCM,data:ZHDIa/iYSZGofE67JU63fHRdKbs/ZyEJY45tV6H8WZAOcduGafPYBo2NCZ7nqLbc2Z9dUUgsrpzvkQ3+VaWqFUv7YsE+CbCx4CeiLGMkj8EAGzX4rkJGHMzkkc2UT7v9znCnKACS3fZtU69trqVMcf1PzgqepOHMBku37dzpwOQC/Tc3UTuO72M=,iv:Ljun1/ruY9cDBm9vu62riUrpGjrWtFFx90GeE7uc3Yo=,tag:FF4xPb1SDhK/4ITr/idvYg==,type:str]
 matrix-shared-secret: ENC[AES256_GCM,data:HeS4PT0R+TRU6Htwa5TChjK1VAjAdgSS8tSnva+ga3f+mEfJPTQ02pEvS2WFvcnchmEjNYy39zL/rbtX,iv:4yR+VgdJY3VcvLg18v+5jbJDSkFzaeyLNAZ0k8ivjdQ=,tag:RA96iSFDUdlXq30c/vkvpA==,type:str]
-phpldapadmin: ENC[AES256_GCM,data:CJBFQfi0qJmPQcxPcneHcXFsIku0a+xdv7rmrKzC0XsBcn3N/dP8cGBbkC/GcH2OWBhRWFNFm0GOEALbJa/1z/hFxbxn1QJlfglglaXHNjiwJqND51GmNzd+5GJ39RHR7w06fVABgCrDM60DChJLy0Iql/eCITYhZUGpoLd4I+fKXy9zggVIzAA3tTYziJNuaBQuMe/i8V8AIt0DBefrEBITyl3wi/+Y4utLXiEUPOWPGCYfS+Xp7LcHiTJ2rZzwKJjYPiPs+7UYx2IsT2+ksJtSHR0+ibUHXNzebBTmAZ3+YBoyeBvdw2VmsgJeCUTC2SLnBAsR4J3AoSDQcZ0XrHq2oIzZC/Mf5g==,iv:iHx495CM8LHqrsiNPwzFXZQxWJZ5kCgWYvgwirjy7Uw=,tag:c7FvYuYzYjqH/Bqs7FbMzA==,type:str]
 sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
     age:
-        - recipient: age14grjcxaq4h55yfnjxvnqhtswxhj9sfdcvyas4lwvpa8py27pjy2sv3g6v7
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiZmRBZm8wL3ZQdUZMSjRG
-            cnFWTjNhc2gvd3pURkdjdEpZdUE2ZE9nVFdnCnEvRGlScFJVUGZRenV3VXI5cU85
-            NkZ6clplbzZnR1ZWY0YvMy84WWRiMUEKLS0tIHliOE9KYTdlUlFEb2NuRE0yYWJm
-            OEhCZmphWVVjU3k1VHRDMnJWTUpQQVUK1M7fgK+d/KlbTzvt9CKj6cGgzZ+vwsfE
-            zqUbyJ/5UpmrU/3kQMxBMBmb8HsA8b/1itzOn4F54SF1Xm7CFDLTUQ==
-            -----END AGE ENCRYPTED FILE-----
         - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwaEpvdkdvSHZQTXZXbXZa
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoUWdTYlRjWDJvemF5Q2sr
-            ckZrTW9qNW9SMzN2TkVaZTRlT1NKSm56Q1JzCnIxY1k3Q2VjTy9OSlZPbEZkVDBi
+            VCtrS2dTTGRwUlNIWHd0WkVCRkRMcGhuTzE0ClNic1FmQ05UNWQwbGc4TUFMNGlI
-            UWVCRHE5bWlDaVEyWERXeUdsL1BFYkUKLS0tIEhoK05uMVpzYXJFZHBRcDlZb296
+            K0RhK2pqUGY3UElmK1pNUEkxV2xGUTQKLS0tIFRORE9JTDRZK0MwZUJoc2xlcHFH
-            YWRTZmljUTJEQW5lUzdMa3N0Y045MlUK0lAs4L5D0DIKuxuHJmGbOu6SX1Y4KNJo
+            bmp3ZW14TVdCMHhkSi84NE5neDdrY3cKYfgu7aqvG6wQmEFhmzieXFGoQpyffPXj
-            VsgVUd9wU9r/ApoiaicAPNn0jyH3B8sGk1JGtrisL5eldc6Z5phR4g==
+            jiHrAPjBBFy21wdYf0nQXNMzekqOMJwOj0oNA2b5omprPxjB9uns4Q==
-            -----END AGE ENCRYPTED FILE-----
-        - recipient: age1v6p8dan2t3w9h94fz4flldl32082j3s9x6zqq7u5j66keth9aphsd6pvch
-          enc: |
-            -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlVEdRWkR4YzJNU2Z3ZW9t
-            VGNHM3gxZUM0SDlaMzBleHU3a3lsZ1M0dlNJCnF3R1JtUUZCZE9CV2NUVG9la2I5
-            R0hadEw2RldTS3J3cDdDQkp0OG4vZmsKLS0tIHl4UVpBejlFbkRycEZjSTNyditY
-            S3VRckhkNGRzR0VOOVBaRmZCT1lxM0kKThIJN/jw3tjaqaf1C5s6+K5BMBrMer2z
-            YNhhar3iomZbWvwJ5OW4dneU9p0drrcl5LR9tSAoTiSxIbfBZf+d0A==
             -----END AGE ENCRYPTED FILE-----
         - recipient: age1gjm4c3swt8u88e36gf2qlg3syxfc0ly94u64c42f2tsf24npw4csa6e4fw
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzOEhSaklkdnJoY0dOU3dt
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUjQxWnBMQXo3QmF1STUw
-            T1lyVVdVZ1VoRmQ4RURPN1ZjYWhPeU01T2gwCjFmbHZ3SThub2psTjBHOWk3M0hP
+            bHh1NDhvQXZIQ2RiOUx5OU5Wc3BVSEJDUEZVCmVzeFk5SWpMbVV4VUdsRmhiaWwz
-            WFk2RXFnM3AzSHhraEJmRmxWZzRFVE0KLS0tIDdteWVZKzJVNXdyZDJTbE43Zldr
+            bTJDY1pJRXJvNUdCSXJqQ3Byd3lWN2sKLS0tIHRKdXRNc1BYcURBRVNlenk1OEl3
-            WDdHb1I5dVFCcHJ0ejVhOXFIb1pKRlUKkCS05OVL7xvkZ1oh16GTCnateuXao9ZK
+            Q05BN0VnQ0haeHBobWhRV0EzL3dLSEkKWlALiX5mvG8y0WUc8yFWMbcpSRrSGoQx
-            6sMZ7/c9tafLH52psnjeUEJK15Bw8DihFjFctyIh242j8TtXXqxBYg==
+            SHaOlDCjYvViZ7GPRLqnSwDGZ1clC6JsTbwKXrMsWdZBKvSO/VIWQw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-06-10T11:35:59Z"
+    lastmodified: "2024-10-14T16:53:41Z"
-    mac: ENC[AES256_GCM,data:1r8IFSyvVmwSR9j9DROAbN6GmnQo8cg+Z1wCvg2hv/lql5FbeLgFUvVHYQvPGJK6cRUTM+7T010AZOZSWKJM2K3KqiinWLdVVM1G1Bvhv8T4epL2RHq65OgMd5jJFrMLYoyJmHUp3AkzlPeYJDtrvxGCB5B88H1L+ifZtV0pKJQ=,iv:uOnWxuPiPJkmc+wBf4EYihTLeugcyM4MX4AkYncfAFg=,tag:HWHGROye6YMR/cLm/C2G1Q==,type:str]
+    mac: ENC[AES256_GCM,data:DUi6zUrZBMVaYZ/BvWny7RwPgXe+vQ+odO30fGe8iZHj9d3gzB95F75CqIgENi4gVOA4CQDADE+p45z/mtl04HAh7RiT0/k21RSdQcH2W9AX525fOzeqbxbPA/tXJOctwGrytFwlK9UdJULXkJCwYrJnwNc0XPnBk1FodTykXWs=,iv:q/eapgTVL/rifrrZeIcXT5VO9bEoS4EmmEhYJ2xHvQ4=,tag:xb0Qj/wu17cLTkvefsDqiw==,type:str]
+    pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.10.2
+    version: 3.8.1

hosts/fw/pkgs/phpldapadmin.nix

@@ -1,36 +0,0 @@
-{ fetchurl, lib, stdenv, nodejs_24, php, phpPackages }:
-
-stdenv.mkDerivation rec {
-  pname    = "phpLDAPadmin";
-  version  = "2.1.4";
-
-  src = fetchurl {
-    url    = "https://github.com/leenooks/phpLDAPadmin/archive/${version}.tar.gz";
-    sha256 = "sha256-hkigC458YSgAZVCzVznix8ktDBuQm+UH3ujXn9Umylc=";
-  };
-
-  # Pull in PHP itself and Composer
-  buildInputs       = [ php nodejs_24 ];
-  nativeBuildInputs = [ phpPackages.composer ];
-
-  # Let composer do its work
-  buildPhase = ''
-    # install all PHP dependencies into vendor/
-    npm i
-    npm run prod
-    composer i --no-dev
-  '';
-
-  installPhase = ''
-    mkdir -p $out
-    # copy everything—including the newly created vendor/ directory
-    cp -r . $out/
-    ln -sf /etc/phpldapadmin/env $out/.env
-  '';
-
-  meta = {
-    description = "phpLDAPadmin";
-    license     = lib.licenses.gpl3;
-    platforms   = lib.platforms.all;
-  };
-}

hosts/mail/modules/openldap.nix

@@ -55,28 +55,20 @@ in {
               by * none
           ''
           ''
-            {1}to attrs=pgpPublicKey
+            {1}to attrs=loginShell
-              by self write
-              by anonymous read
-              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
-              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
-              by * read
-          ''
-          ''
-            {2}to attrs=loginShell
               by self write
               by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
               by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
               by * none
           ''
           ''
-            {3}to dn.subtree="ou=system,ou=users,dc=cloonar,dc=com"
+            {2}to dn.subtree="ou=system,ou=users,dc=cloonar,dc=com"
               by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
               by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
               by * none
           ''
           ''
-            {4}to *
+            {3}to *
               by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
               by dn="cn=admin,dc=cloonar,dc=com" write
               by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
@@ -131,15 +123,7 @@ in {
               by * none
           ''
           ''
-            {1}to attrs=pgpPublicKey
+            {1}to *
-              by self write
-              by anonymous read
-              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
-              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
-              by * read
-          ''
-          ''
-            {2}to *
               by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
               by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
               by * read
@@ -176,15 +160,7 @@ in {
               by * none
           ''
           ''
-            {1}to attrs=pgpPublicKey
+            {1}to *
-              by self write
-              by anonymous read
-              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
-              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
-              by * read
-          ''
-          ''
-            {2}to *
               by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
               by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
               by * read
@@ -222,15 +198,7 @@ in {
               by * none
           ''
           ''
-            {1}to attrs=pgpPublicKey
+            {1}to *
-              by self write
-              by anonymous read
-              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
-              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
-              by * read
-          ''
-          ''
-            {2}to *
               by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
               by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
               by * read
@@ -268,15 +236,7 @@ in {
               by * none
           ''
           ''
-            {1}to attrs=pgpPublicKey
+            {1}to *
-              by self write
-              by anonymous read
-              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
-              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
-              by * read
-          ''
-          ''
-            {2}to *
               by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
               by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
               by * read
@@ -314,15 +274,7 @@ in {
               by * none
           ''
           ''
-            {1}to attrs=pgpPublicKey
+            {1}to *
-              by self write
-              by anonymous read
-              by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
-              by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
-              by * read
-          ''
-          ''
-            {2}to *
               by dn.subtree="ou=system,ou=users,dc=cloonar,dc=com" read
               by group.exact="cn=Administrators,ou=groups,dc=cloonar,dc=com" write
               by * read
@@ -347,7 +299,7 @@ in {
               (1.3.6.1.4.1.28298.1.2.4 NAME 'cloonarUser'
                 SUP (mailAccount) AUXILIARY
                 DESC 'Cloonar Account'
-                MAY (sshPublicKey $ pgpPublicKey $ ownCloudQuota $ quota))
+                MAY (sshPublicKey $ ownCloudQuota $ quota))
             ''
           ];
         };
@@ -422,22 +374,14 @@ in {
               EQUALITY octetStringMatch
               SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
           ''
-          ''
-            (1.3.6.1.4.1.24552.500.1.1.1.14
-              NAME 'pgpPublicKey'
-              DESC 'PGP/GPG Public key'
-              EQUALITY octetStringMatch
-              SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
-          ''
         ];
         olcObjectClasses = [
           ''
             (1.3.6.1.4.1.24552.500.1.1.2.0
               NAME 'ldapPublicKey'
               SUP top AUXILIARY
-              DESC 'SSH and PGP Public Key Support'
+              DESC 'MANDATORY: OpenSSH LPK objectclass'
-              MUST ( uid )
+              MUST ( sshPublicKey $ uid ))
-              MAY ( sshPublicKey $ pgpPublicKey ))
           ''
         ];
       };

hosts/nb/configuration.nix

@@ -12,15 +12,17 @@ in {
   security.pki.certificates = [ "/home/dominik/.local/share/mkcert/rootCA.pem" ];
 
   imports =
-    [
+    [ # Include the results of the hardware scan.
       "${impermanence}/nixos.nix"
+      # (import <nix-snapd>).nixosModules.default
       ./utils/bento.nix
       
       ./utils/modules/sops.nix
       ./utils/modules/nur.nix
       ./modules/appimage.nix
       ./modules/desktop
-      ./modules/development
+      ./modules/development/default.nix
+      # ./modules/printer.nix
       # ./modules/cyberghost.nix
       ./utils/modules/autoupgrade.nix
       ./modules/puppeteer.nix
@@ -28,14 +30,19 @@ in {
       ./modules/ollama.nix
       ./modules/qdrant.nix
 
+      # ./modules/development
+
       ./cachix.nix
       ./users
 
+      # coding
+
       # ./modules/steam.nix
       ./modules/fingerprint.nix
-      ./modules/set-nix-channel.nix
+      ./modules/set-nix-channel.nix # Automatically manage nix-channel from /var/bento/channel
 
       ./hardware-configuration.nix
+
     ];
 
   # services.snap.enable = true; 
@@ -166,6 +173,7 @@ in {
   networking.networkmanager.enable = true;  # Easiest to use and most distros use this by default.
   networking.extraHosts = ''
     77.119.230.30 vpn.cloonar.com
+    10.25.0.25 archive.zeichnemit.at
   '';
 
   # Set your time zone.
@@ -180,7 +188,20 @@ in {
 
   environment.systemPackages = with pkgs; [
     alsa-utils
-    sshpass
+    bento
+    docker-compose
+    drone-cli
+    git-filter-repo
+    nix-prefetch-git
+    openaudible
+    openmanus
+    unzip
+    vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.
+    wget
+    wireguard-tools
+    wineWowPackages.stable
+    wineWowPackages.fonts
+    winetricks
     pinentry-curses
     # ykfde
   ];
@@ -237,8 +258,6 @@ in {
             # epicenter.works
             "10.14.0.0/16"
             "10.25.0.0/16"
-            "188.34.191.144/32" # web-arm
-            "91.107.201.241" # mail
           ];
           endpoint = "vpn.cloonar.com:51820"; # ToDo: route to endpoint not automatically configured https://wiki.archlinux.org/index.php/WireGuard#Loop_routing https://discourse.nixos.org/t/solved-minimal-firewall-setup-for-wireguard-client/7577
           persistentKeepalive = 25;
@@ -264,7 +283,7 @@ in {
     # autoOptimiseStore = true;
     gc = {
       automatic = true;
-      dates = "daily";
+      dates = "weekly";
       options = "--delete-older-than 30d";
     };
     # Free up to 1GiB whenever there is less than 100MiB left.

hosts/nb/modules/desktop/default.nix

@@ -1,5 +1,8 @@
 { config, pkgs, lib, ... }:
 let
+  apache-ds-pin = import (builtins.fetchTarball {
+    url = "https://github.com/NixOS/nixpkgs/archive/9aec01027f7ea2bca07bb51d5ed83e78088871c1.tar.gz";
+  }) {};
 in {
   imports = [
     ../sway/sway.nix
@@ -13,7 +16,7 @@ in {
 
   environment.systemPackages = with pkgs; [
     alacritty
-    apache-directory-studio
+    apache-ds-pin.apache-directory-studio
     cryptomator
     fontforge
     freecad

hosts/nb/modules/development/default.nix

@@ -13,38 +13,27 @@ in {
     ./nvim/default.nix
   ];
   environment.systemPackages = with pkgs; [
-    bento
     ddev
-    docker-compose
-    drone-cli
     gcc
     git
-    git-filter-repo
     glib
     go
+    nodejs_22
+    rbw
+    bento
+    docker-compose
+    drone-cli
+    git-filter-repo
+    nix-prefetch-git
     jq
     mkcert
     mqttui
-    nix-prefetch-git
-    nodejs_22
-    rbw
-    sops
-    unzip
     vim
     wget
     wireguard-tools
+    unzip
     wol
   ];
 
   virtualisation.docker.enable = true;
-
-  virtualisation.libvirtd = {
-    enable = true;                     # Turn on the libvirtd daemon
-    qemu = {
-      ovmf = {
-        enable   = true;               # Enable OVMF firmware support
-      };
-      # swtpm.enable = true;           # enable if you need TPM emulation, etc.
-    };
-  };
 }

hosts/nb/users/configs/project_history

@@ -9,7 +9,6 @@
 /home/dominik/projects/cloonar/cloonar-assistant-customers
 /home/dominik/projects/cloonar/updns
 /home/dominik/projects/cloonar/mcp-servers-nix
-/home/dominik/projects/cloonar/ldap2vcard
 
 /home/dominik/projects/cloonar/flow/flow-docs
 /home/dominik/projects/cloonar/flow/flow-user-service

hosts/nb/users/dominik.nix

@@ -606,7 +606,6 @@ in
       git clone gitea@git.cloonar.com:Cloonar/cloonar-assistant-customers.git ${persistHome}/projects/cloonar/cloonar-assistant-customers 2>/dev/null
       git clone gitea@git.cloonar.com:Cloonar/updns.git ${persistHome}/projects/cloonar/updns 2>/dev/null
       git clone git@github.com:dpolakovics/mcp-servers-nix.git ${persistHome}/cloonar/mcp-servers-nix 2>/dev/null
-      git clone gitea@git.cloonar.com:Cloonar/ldap2vcard.git ${persistHome}/projects/cloonar/ldap2vcard 2>/dev/null
 
       git clone gitea@git.cloonar.com:Cloonar/flow-docs.git ${persistHome}/projects/cloonar/flow/flow-docs 2>/dev/null
       git clone gitea@git.cloonar.com:Cloonar/flow-user-service.git ${persistHome}/projects/cloonar/flow/flow-user-service 2>/dev/null

hosts/web-arm/sites/dialog-relations.cloonar.dev.nix

@@ -5,6 +5,6 @@
     authorizedKeys = [
       "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG1jkPi2LbnzP5hM4Mpt6rh+Vq5pTe63+zS3QvVyA4Ma"
     ];
-    phpPackage = pkgs.php84;
+    phpPackage = pkgs.php83;
   };
 }

hosts/web-arm/sites/dialog-relations.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG1jkPi2LbnzP5hM4Mpt6rh+Vq5pTe63+zS3QvVyA4Ma dominik@nb-01

hosts/web-arm/sites/paraclub.at.nix

@@ -23,7 +23,7 @@ in {
 
     locations."/".extraConfig = ''
       index index.html;
-      error_page 404 /de/404.html;
+      error_page 404 /404.html;
     '';
 
     locations."~* \.(js|jpg|gif|png|webp|css|woff2)$".extraConfig = ''