From aae34277aff7d15fc5d74df8a80f4c3ad42d1535 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 29 May 2022 20:09:57 +0200 Subject: l domsen: add more webistes/accounts --- lass/2configs/websites/domsen.nix | 54 +++++++++++++++++++++++++++++---------- 1 file changed, 40 insertions(+), 14 deletions(-) (limited to 'lass/2configs/websites') diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 3f055e370..93d3c91ee 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -29,6 +29,8 @@ in { (servePage [ "apanowicz.de" "www.apanowicz.de" ]) (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ]) (servePage [ "illustra.de" "www.illustra.de" ]) + (servePage [ "nirwanabluete.de" "www.nirwanabluete.de" ]) + (servePage [ "familienrat-hamburg.de" "www.familienrat-hamburg.de" ]) (servePage [ "freemonkey.art" "www.freemonkey.art" @@ -36,20 +38,20 @@ in { (serveOwncloud [ "o.ubikmedia.de" ]) (serveWordpress [ "ubikmedia.de" - "nirwanabluete.de" "ubikmedia.eu" "youthtube.xyz" "joemisch.com" "weirdwednesday.de" "jarugadesign.de" + "beesmooth.ch" - "www.nirwanabluete.de" "www.ubikmedia.eu" "www.youthtube.xyz" "www.ubikmedia.de" "www.joemisch.com" "www.weirdwednesday.de" "www.jarugadesign.de" + "www.beesmooth.ch" "aldona2.ubikmedia.de" "cinevita.ubikmedia.de" @@ -64,9 +66,13 @@ in { "jarugadesign.ubikmedia.de" "crypto4art.ubikmedia.de" "jarugadesign.ubikmedia.de" + "beesmooth.ubikmedia.de" ]) ]; + # https://github.com/nextcloud/server/issues/25436 + services.mysql.settings.mysqld.innodb_read_only_compressed = 0; + services.mysql.ensureDatabases = [ "ubikmedia_de" "o_ubikmedia_de" ]; services.mysql.ensureUsers = [ { ensurePermissions = { "ubikmedia_de.*" = "ALL"; }; name = "nginx"; } @@ -159,6 +165,7 @@ in { { from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; } { from = "kontakt@alewis.de"; to ="klabusterbeere"; } { from = "hallo@jarugadesign.de"; to ="kasia"; } + { from = "noreply@beeshmooth.ch"; to ="besmooth@gmx.ch"; } { from = "testuser@lassul.us"; to = "testuser"; } { from = "testuser@ubikmedia.eu"; to = "testuser"; } @@ -170,10 +177,12 @@ in { "apanowicz.de" "alewis.de" "jarugadesign.de" + "beesmooth.ch" ]; dkim = [ { domain = "ubikmedia.eu"; } { domain = "apanowicz.de"; } + { domain = "beesmooth.ch"; } ]; ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem"; ssl_key = "/var/lib/acme/lassul.us/key.pem"; @@ -332,6 +341,27 @@ in { isNormalUser = true; }; + users.users.avada = { + uid = genid_uint31 "avada"; + home = "/home/avada"; + useDefaultShell = true; + createHome = true; + isNormalUser = true; + }; + + users.users.familienrat = { + uid = genid_uint31 "familienrat"; + home = "/home/familienrat"; + useDefaultShell = true; + createHome = true; + isNormalUser = true; + }; + krebs.acl."/srv/http/familienrat-hamburg.de"."u:familienrat:rwX" = {}; + krebs.acl."/srv/http"."u:familienrat:X" = { + default = false; + recursive = false; + }; + users.groups.xanf = {}; krebs.on-failure.plans.restic-backups-domsen = { @@ -372,18 +402,14 @@ in { ${pkgs.coreutils}/bin/chmod 750 /backups ''; - krebs.permown = { - "/srv/http" = { - group = "syncthing"; - owner = "nginx"; - umask = "0007"; - }; - "/home/xanf/XANF_TEAM" = { - owner = "XANF_TEAM"; - group = "xanf"; - umask = "0007"; - }; + # takes too long!! + # krebs.acl."/srv/http"."u:syncthing:rwX" = {}; + # krebs.acl."/srv/http"."u:nginx:rwX" = {}; + # krebs.acl."/srv/http/ubikmedia.de"."u:avada:rwX" = {}; + krebs.acl."/home/xanf/XANF_TEAM"."g:xanf:rwX" = {}; + krebs.acl."/home/xanf"."g:xanf:X" = { + default = false; + recursive = false; }; - } -- cgit v1.2.3 From 88fac070e231ad9b5c57cd96dc8322c30b9c3318 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 29 May 2022 20:11:20 +0200 Subject: l lassul.us: remove legacy tinc-graphs --- lass/2configs/websites/lassulus.nix | 6 ------ 1 file changed, 6 deletions(-) (limited to 'lass/2configs/websites') diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index 5bf8de013..7de993514 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -20,8 +20,6 @@ in { }; }; - krebs.tinc_graphs.enable = true; - users.groups.lasscert.members = [ "dovecot2" "ejabberd" @@ -48,10 +46,6 @@ in { locations."= /wireguard-key".extraConfig = '' alias ${pkgs.writeText "prism.wg" config.krebs.hosts.prism.nets.wiregrill.wireguard.pubkey}; ''; - locations."/tinc/".extraConfig = '' - index index.html; - alias ${config.krebs.tinc_graphs.workingDir}/external/; - ''; locations."= /krebspage".extraConfig = '' default_type "text/html"; alias ${pkgs.krebspage}/index.html; -- cgit v1.2.3 From fd58fdb28ca6c577b6a5dda86dc6318f360169e2 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 29 May 2022 20:11:35 +0200 Subject: l lassul.us: remove deprecated users --- lass/2configs/websites/lassulus.nix | 15 --------------- 1 file changed, 15 deletions(-) (limited to 'lass/2configs/websites') diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index 7de993514..86a55c225 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -22,7 +22,6 @@ in { users.groups.lasscert.members = [ "dovecot2" - "ejabberd" "exim" "nginx" ]; @@ -84,19 +83,5 @@ in { root /var/lib/acme/acme-challenge; ''; }; - - users.users.blog = { - uid = genid_uint31 "blog"; - group = "nginx"; - description = "lassul.us blog deployment"; - home = "/srv/http/lassul.us"; - useDefaultShell = true; - createHome = true; - isSystemUser = true; - openssh.authorizedKeys.keys = with config.krebs.users; [ - lass.pubkey - lass-mors.pubkey - ]; - }; } -- cgit v1.2.3 From 45073efe87fc0561819db645c509e60c3d3fd213 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 29 May 2022 20:12:12 +0200 Subject: l lassul.us: simplify pubkey locations --- lass/2configs/websites/lassulus.nix | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) (limited to 'lass/2configs/websites') diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index 86a55c225..2ff98f38d 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -57,14 +57,14 @@ in { alias ${initscript}/bin/init; ''; locations."= /blue.pub".extraConfig = '' - alias ${pkgs.writeText "pub" config.krebs.users.lass.pubkey}; + alias ${pkgs.writeText "pub" config.krebs.users.lass-blue.pubkey}; ''; - locations."= /mors.pub".extraConfig = '' - alias ${pkgs.writeText "pub" config.krebs.users.lass-mors.pubkey}; - ''; - locations."= /yubi.pub".extraConfig = '' + locations."= /ssh.pub".extraConfig = '' alias ${pkgs.writeText "pub" config.krebs.users.lass-yubikey.pubkey}; ''; + locations."= /gpg.pub".extraConfig = '' + alias ${pkgs.writeText "pub" config.krebs.users.lass-yubikey.pgp.pubkeys.default}; + ''; }; security.acme.certs."cgit.lassul.us" = { -- cgit v1.2.3 From b663d3c5977d2482f97babb74ade8edf15f11b53 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 29 May 2022 20:12:38 +0200 Subject: l: add ref.ptkk.de --- lass/2configs/websites/lassulus.nix | 1 + lass/2configs/websites/ref.ptkk.de/default.nix | 89 ++++++++++++++++++++++++++ 2 files changed, 90 insertions(+) create mode 100644 lass/2configs/websites/ref.ptkk.de/default.nix (limited to 'lass/2configs/websites') diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix index 2ff98f38d..411234b82 100644 --- a/lass/2configs/websites/lassulus.nix +++ b/lass/2configs/websites/lassulus.nix @@ -10,6 +10,7 @@ in { imports = [ ./default.nix ../git.nix + ./ref.ptkk.de ]; security.acme = { diff --git a/lass/2configs/websites/ref.ptkk.de/default.nix b/lass/2configs/websites/ref.ptkk.de/default.nix new file mode 100644 index 000000000..14ce58b8e --- /dev/null +++ b/lass/2configs/websites/ref.ptkk.de/default.nix @@ -0,0 +1,89 @@ +{ config, lib, pkgs, ... }: +{ + services.nginx.virtualHosts."ref.ptkk.de" = { + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:4626"; + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Host $host; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Port $server_port; + proxy_set_header X-Forwarded-Host $host; + proxy_set_header Connection $connection_upgrade; + proxy_set_header Upgrade $http_upgrade; + proxy_cache_bypass $http_upgrade; + ''; + }; + locations."/static/" = { + alias = "/var/lib/ref.ptkk.de/static/"; + }; + forceSSL = true; + }; + systemd.services."ref.ptkk.de" = { + wantedBy = [ "multi-user.target" ]; + environment = { + PRODUCTION = "yip"; + DATA_DIR = "/var/lib/ref.ptkk.de/data"; + PORT = "4626"; + STATIC_ROOT = "/var/lib/ref.ptkk.de/static"; + }; + path = with pkgs; [ + git + gnutar + gzip + nix + ]; + serviceConfig = { + ExecStartPre = [ + "${pkgs.coreutils}/bin/mkdir -p /var/lib/ref.ptkk.de/data" + "${pkgs.coreutils}/bin/mkdir -p /var/lib/ref.ptkk.de/code" + "${pkgs.coreutils}/bin/mkdir -p /var/lib/ref.ptkk.de/static" + ]; + ExecStart = pkgs.writers.writeDash "nixify" '' + cd code + if test -e shell.nix; then + ${pkgs.nix}/bin/nix-shell -I /var/src --run serve + else + echo 'no shell.nix, bailing out' + exit 0 + fi + ''; + LoadCredential = [ + "django-secret.key:${toString }/ref.ptkk.de-django.key" + ]; + User = "ref.ptkk.de"; + WorkingDirectory = "/var/lib/ref.ptkk.de"; + StateDirectory = "ref.ptkk.de"; + Restart = "always"; + RestartSec = "100s"; + }; + }; + systemd.services."ref.ptkk.de-restarter" = { + serviceConfig = { + Type = "oneshot"; + ExecStart = "${pkgs.systemd}/bin/systemctl restart ref.ptkk.de.service"; + }; + }; + systemd.paths."ref.ptkk.de-restarter" = { + wantedBy = [ "multi-user.target" ]; + pathConfig.PathChanged = [ + "/var/lib/ref.ptkk.de/code" + "/var/src/nixpkgs" + ]; + }; + + users.users."ref.ptkk.de" = { + isSystemUser = true; + uid = pkgs.stockholm.lib.genid_uint31 "ref.ptkk.de"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6fu6LtyRdk++qIBpP0BdZQHSTqzNNlvp7ML2Dv0IxD CI@github.com" + config.krebs.users.lass.pubkey + ]; + group = "nginx"; + home = "/var/lib/ref.ptkk.de"; + useDefaultShell = true; + }; +} -- cgit v1.2.3 From 1bf8ca72402124875b44d9745be03408dacf5b15 Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 29 May 2022 20:13:15 +0200 Subject: l owncloud: use php74 --- lass/2configs/websites/util.nix | 1 + 1 file changed, 1 insertion(+) (limited to 'lass/2configs/websites') diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix index b6765037c..22b1669b0 100644 --- a/lass/2configs/websites/util.nix +++ b/lass/2configs/websites/util.nix @@ -174,6 +174,7 @@ rec { services.phpfpm.pools."${domain}" = { user = "nginx"; group = "nginx"; + phpPackage = pkgs.php74; extraConfig = '' listen = /srv/http/${domain}/phpfpm.pool pm = dynamic -- cgit v1.2.3 From 4a9f93e8933d87ce8f04965b2772564527f1e2fd Mon Sep 17 00:00:00 2001 From: lassulus Date: Sun, 29 May 2022 21:16:29 +0200 Subject: l domsen: nextcloud 21 -> 23 --- lass/2configs/websites/domsen.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lass/2configs/websites') diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix index 93d3c91ee..fe4d78a3b 100644 --- a/lass/2configs/websites/domsen.nix +++ b/lass/2configs/websites/domsen.nix @@ -104,7 +104,7 @@ in { services.nextcloud = { enable = true; hostName = "o.xanf.org"; - package = pkgs.nextcloud21; + package = pkgs.nextcloud23; config = { adminpassFile = "/run/nextcloud.pw"; overwriteProtocol = "https"; -- cgit v1.2.3