2016-04-09 12:21:39 +00:00
|
|
|
{ config, pkgs, lib, ... }:
|
2015-12-12 17:21:50 +00:00
|
|
|
|
2016-03-23 12:45:06 +00:00
|
|
|
let
|
2016-09-08 19:23:51 +00:00
|
|
|
|
2016-05-31 21:26:35 +00:00
|
|
|
inherit (import <stockholm/krebs/4lib> { config = {}; inherit lib; })
|
2016-05-12 22:22:22 +00:00
|
|
|
genid
|
2016-09-08 19:23:51 +00:00
|
|
|
genid_signed
|
|
|
|
;
|
2016-05-31 21:26:35 +00:00
|
|
|
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
|
2016-04-09 12:21:39 +00:00
|
|
|
ssl
|
|
|
|
servePage
|
2016-04-11 14:50:22 +00:00
|
|
|
serveOwncloud
|
|
|
|
serveWordpress;
|
2016-04-09 12:21:39 +00:00
|
|
|
|
2016-05-12 22:22:22 +00:00
|
|
|
msmtprc = pkgs.writeText "msmtprc" ''
|
2016-06-13 21:02:27 +00:00
|
|
|
account localhost
|
2016-05-12 22:22:22 +00:00
|
|
|
host localhost
|
2016-06-13 21:02:27 +00:00
|
|
|
account default: localhost
|
2016-05-12 22:22:22 +00:00
|
|
|
'';
|
|
|
|
|
|
|
|
sendmail = pkgs.writeDash "msmtp" ''
|
|
|
|
exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@"
|
|
|
|
'';
|
|
|
|
|
2016-09-08 19:23:51 +00:00
|
|
|
check-password = pkgs.writeDash "check-password" ''
|
|
|
|
read pw
|
|
|
|
|
|
|
|
file="/home/$PAM_USER/.shadow"
|
|
|
|
|
|
|
|
#check if shadow file exists
|
|
|
|
test -e "$file" || exit 123
|
|
|
|
|
|
|
|
hash="$(${pkgs.coreutils}/bin/head -1 $file)"
|
|
|
|
salt="$(echo $hash | ${pkgs.gnused}/bin/sed 's/.*\$\(.*\)\$.*/\1/')"
|
|
|
|
|
|
|
|
calc_hash="$(echo "$pw" | ${pkgs.mkpasswd}/bin/mkpasswd -m sha-512 -S $salt)"
|
|
|
|
if [ "$calc_hash" == $hash ]; then
|
|
|
|
exit 0
|
|
|
|
else
|
|
|
|
exit 1
|
|
|
|
fi
|
|
|
|
'';
|
|
|
|
|
2016-03-23 12:45:06 +00:00
|
|
|
in {
|
2015-12-12 17:21:50 +00:00
|
|
|
imports = [
|
2016-05-31 22:13:19 +00:00
|
|
|
./sqlBackup.nix
|
2016-06-07 08:43:51 +00:00
|
|
|
(ssl [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
|
|
|
|
(servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
|
2015-12-12 17:21:50 +00:00
|
|
|
|
2016-06-07 08:43:51 +00:00
|
|
|
(ssl [ "karlaskop.de" "www.karlaskop.de" ])
|
|
|
|
(servePage [ "karlaskop.de" "www.karlaskop.de" ])
|
2015-12-12 17:21:50 +00:00
|
|
|
|
2016-06-07 08:43:51 +00:00
|
|
|
(ssl [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ])
|
|
|
|
(servePage [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ])
|
2016-04-09 12:21:39 +00:00
|
|
|
|
2016-07-01 10:51:56 +00:00
|
|
|
(ssl [ "pixelpocket.de" ])
|
2016-06-07 08:43:51 +00:00
|
|
|
(servePage [ "pixelpocket.de" "www.pixelpocket.de" ])
|
2016-04-09 12:21:39 +00:00
|
|
|
|
2016-07-01 10:51:56 +00:00
|
|
|
(ssl [ "o.ubikmedia.de" ])
|
2016-06-07 08:43:51 +00:00
|
|
|
(serveOwncloud [ "o.ubikmedia.de" "www.o.ubikmedia.de" ])
|
2016-04-09 12:21:39 +00:00
|
|
|
|
2016-06-07 18:03:47 +00:00
|
|
|
(ssl [
|
|
|
|
"ubikmedia.de"
|
|
|
|
"aldona.ubikmedia.de"
|
|
|
|
"apanowicz.de"
|
|
|
|
"nirwanabluete.de"
|
|
|
|
"aldonasiech.com"
|
|
|
|
"360gradvideo.tv"
|
|
|
|
"ubikmedia.eu"
|
2016-06-11 12:56:11 +00:00
|
|
|
"facts.cloud"
|
2016-06-30 07:17:08 +00:00
|
|
|
"youthtube.xyz"
|
2016-09-03 01:01:50 +00:00
|
|
|
"illucloud.eu"
|
|
|
|
"illucloud.de"
|
|
|
|
"illucloud.com"
|
2016-06-07 18:03:47 +00:00
|
|
|
"www.ubikmedia.de"
|
|
|
|
"www.aldona.ubikmedia.de"
|
|
|
|
"www.apanowicz.de"
|
|
|
|
"www.nirwanabluete.de"
|
|
|
|
"www.aldonasiech.com"
|
|
|
|
"www.360gradvideo.tv"
|
|
|
|
"www.ubikmedia.eu"
|
2016-06-11 12:56:11 +00:00
|
|
|
"www.facts.cloud"
|
2016-06-30 07:17:08 +00:00
|
|
|
"www.youthtube.xyz"
|
2016-09-03 01:01:50 +00:00
|
|
|
"www.illucloud.eu"
|
|
|
|
"www.illucloud.de"
|
|
|
|
"www.illucloud.com"
|
2016-06-07 18:03:47 +00:00
|
|
|
])
|
|
|
|
(serveWordpress [
|
|
|
|
"ubikmedia.de"
|
|
|
|
"apanowicz.de"
|
|
|
|
"nirwanabluete.de"
|
|
|
|
"aldonasiech.com"
|
|
|
|
"360gradvideo.tv"
|
|
|
|
"ubikmedia.eu"
|
2016-06-11 12:56:11 +00:00
|
|
|
"facts.cloud"
|
2016-06-30 07:17:08 +00:00
|
|
|
"youthtube.xyz"
|
2016-09-03 01:01:50 +00:00
|
|
|
"illucloud.eu"
|
|
|
|
"illucloud.de"
|
|
|
|
"illucloud.com"
|
2016-06-07 18:03:47 +00:00
|
|
|
"www.apanowicz.de"
|
|
|
|
"www.nirwanabluete.de"
|
|
|
|
"www.aldonasiech.com"
|
|
|
|
"www.360gradvideo.tv"
|
|
|
|
"www.ubikmedia.eu"
|
2016-06-11 12:56:11 +00:00
|
|
|
"www.facts.cloud"
|
2016-06-30 07:17:08 +00:00
|
|
|
"www.youthtube.xyz"
|
2016-09-03 01:01:50 +00:00
|
|
|
"www.illucloud.eu"
|
|
|
|
"www.illucloud.de"
|
|
|
|
"www.illucloud.com"
|
2016-06-30 07:17:08 +00:00
|
|
|
"*.ubikmedia.de"
|
2016-06-07 18:03:47 +00:00
|
|
|
])
|
2016-04-09 12:21:39 +00:00
|
|
|
];
|
2015-12-12 17:21:50 +00:00
|
|
|
|
2016-07-08 12:07:56 +00:00
|
|
|
krebs.nginx.servers."ubikmedia.de".locations = [
|
|
|
|
(lib.nameValuePair "/piwik" ''
|
|
|
|
try_files $uri $uri/ /index.php?$args;
|
|
|
|
'')
|
|
|
|
];
|
|
|
|
|
2016-05-31 22:13:19 +00:00
|
|
|
lass.mysqlBackup.config.all.databases = [
|
|
|
|
"ubikmedia_de"
|
|
|
|
"o_ubikmedia_de"
|
|
|
|
];
|
2016-04-11 14:50:49 +00:00
|
|
|
|
2016-06-28 15:31:38 +00:00
|
|
|
krebs.backup.plans = {
|
|
|
|
prism-sql-domsen = {
|
|
|
|
method = "push";
|
|
|
|
src = { host = config.krebs.hosts.prism; path = "/bku/sql_dumps"; };
|
|
|
|
dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-sql"; };
|
|
|
|
startAt = "00:01";
|
|
|
|
};
|
|
|
|
prism-http-domsen = {
|
|
|
|
method = "push";
|
|
|
|
src = { host = config.krebs.hosts.prism; path = "/srv/http"; };
|
|
|
|
dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-http"; };
|
|
|
|
startAt = "00:10";
|
|
|
|
};
|
|
|
|
prism-o-ubikmedia-domsen = {
|
|
|
|
method = "push";
|
|
|
|
src = { host = config.krebs.hosts.prism; path = "/srv/o.ubikmedia.de-data"; };
|
|
|
|
dst = { host = config.krebs.hosts.domsen-nas; path = "/mnt/UBIK-9TB-Pool/BACKUP/XXXX-MAX-UND-ANDERES/prism-owncloud"; };
|
|
|
|
startAt = "00:30";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2016-10-11 15:50:42 +00:00
|
|
|
services.phpfpm.phpOptions = ''
|
|
|
|
sendmail_path = ${sendmail} -t
|
|
|
|
upload_max_filesize = 100M
|
|
|
|
post_max_size = 100M
|
|
|
|
file_uploads = on
|
2016-07-07 20:06:10 +00:00
|
|
|
'';
|
2016-07-21 17:47:42 +00:00
|
|
|
|
|
|
|
# MAIL STUFF
|
|
|
|
# TODO: make into its own module
|
2016-09-08 19:23:51 +00:00
|
|
|
services.dovecot2 = {
|
|
|
|
enable = true;
|
|
|
|
mailLocation = "maildir:~/Mail";
|
|
|
|
sslServerCert = "/var/lib/acme/lassul.us/fullchain.pem";
|
|
|
|
sslServerKey = "/var/lib/acme/lassul.us/key.pem";
|
|
|
|
};
|
|
|
|
krebs.iptables.tables.filter.INPUT.rules = [
|
|
|
|
{ predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; }
|
|
|
|
{ predicate = "-p tcp --dport imaps"; target = "ACCEPT"; }
|
|
|
|
{ predicate = "-p tcp --dport 465"; target = "ACCEPT"; }
|
|
|
|
];
|
|
|
|
|
|
|
|
security.pam.services.exim.text = ''
|
|
|
|
auth required pam_env.so
|
|
|
|
auth sufficient pam_exec.so debug expose_authtok ${check-password}
|
|
|
|
auth sufficient pam_unix.so likeauth nullok
|
|
|
|
auth required pam_deny.so
|
|
|
|
account required pam_unix.so
|
|
|
|
password required pam_cracklib.so retry=3 type=
|
|
|
|
password sufficient pam_unix.so nullok use_authtok md5shadow
|
|
|
|
password required pam_deny.so
|
|
|
|
session required pam_limits.so
|
|
|
|
session required pam_unix.so
|
|
|
|
'';
|
|
|
|
|
2016-07-21 17:47:42 +00:00
|
|
|
krebs.exim-smarthost = {
|
2016-09-08 19:23:51 +00:00
|
|
|
authenticators.PLAIN = ''
|
|
|
|
driver = plaintext
|
|
|
|
server_prompts = :
|
|
|
|
server_condition = "''${if pam{$auth2:$auth3}{yes}{no}}"
|
|
|
|
server_set_id = $auth2
|
|
|
|
'';
|
|
|
|
authenticators.LOGIN = ''
|
|
|
|
driver = plaintext
|
|
|
|
server_prompts = "Username:: : Password::"
|
|
|
|
server_condition = "''${if pam{$auth1:$auth2}{yes}{no}}"
|
|
|
|
server_set_id = $auth1
|
|
|
|
'';
|
2016-07-21 17:47:42 +00:00
|
|
|
internet-aliases = [
|
|
|
|
{ from = "dominik@apanowicz.de"; to = "dma@ubikmedia.eu"; }
|
|
|
|
{ from = "mail@jla-trading.com"; to = "jla-trading"; }
|
2016-09-08 19:23:51 +00:00
|
|
|
{ from = "testuser@lassul.us"; to = "testuser"; }
|
2016-07-21 17:47:42 +00:00
|
|
|
];
|
|
|
|
system-aliases = [
|
|
|
|
];
|
2016-09-08 19:23:51 +00:00
|
|
|
ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
|
|
|
|
ssl_key = "/var/lib/acme/lassul.us/key.pem";
|
2016-07-21 17:47:42 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
users.users.domsen = {
|
|
|
|
uid = genid "domsen";
|
|
|
|
description = "maintenance acc for domsen";
|
|
|
|
home = "/home/domsen";
|
|
|
|
useDefaultShell = true;
|
|
|
|
extraGroups = [ "nginx" ];
|
|
|
|
createHome = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
users.users.jla-trading = {
|
|
|
|
uid = genid "jla-trading";
|
|
|
|
home = "/home/jla-trading";
|
|
|
|
useDefaultShell = true;
|
|
|
|
createHome = true;
|
|
|
|
};
|
2015-12-12 17:21:50 +00:00
|
|
|
}
|
|
|
|
|