2016-04-09 12:21:39 +00:00
|
|
|
{ config, pkgs, lib, ... }:
|
2015-12-12 17:21:50 +00:00
|
|
|
|
2016-03-23 12:45:06 +00:00
|
|
|
let
|
2016-09-08 19:23:51 +00:00
|
|
|
|
2016-10-20 19:40:11 +00:00
|
|
|
inherit (import <stockholm/lib>)
|
2016-05-12 22:22:22 +00:00
|
|
|
genid
|
2018-08-09 12:38:06 +00:00
|
|
|
genid_uint31
|
2016-09-08 19:23:51 +00:00
|
|
|
;
|
2016-05-31 21:26:35 +00:00
|
|
|
inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
|
2016-04-09 12:21:39 +00:00
|
|
|
servePage
|
2016-04-11 14:50:22 +00:00
|
|
|
serveOwncloud
|
|
|
|
serveWordpress;
|
2016-04-09 12:21:39 +00:00
|
|
|
|
2016-05-12 22:22:22 +00:00
|
|
|
msmtprc = pkgs.writeText "msmtprc" ''
|
2016-06-13 21:02:27 +00:00
|
|
|
account localhost
|
2016-05-12 22:22:22 +00:00
|
|
|
host localhost
|
2016-06-13 21:02:27 +00:00
|
|
|
account default: localhost
|
2016-05-12 22:22:22 +00:00
|
|
|
'';
|
|
|
|
|
|
|
|
sendmail = pkgs.writeDash "msmtp" ''
|
|
|
|
exec ${pkgs.msmtp}/bin/msmtp --read-envelope-from -C ${msmtprc} "$@"
|
|
|
|
'';
|
|
|
|
|
2016-03-23 12:45:06 +00:00
|
|
|
in {
|
2015-12-12 17:21:50 +00:00
|
|
|
imports = [
|
2017-08-01 18:47:34 +00:00
|
|
|
./default.nix
|
2016-05-31 22:13:19 +00:00
|
|
|
./sqlBackup.nix
|
2020-01-11 19:51:00 +00:00
|
|
|
(servePage [ "aldonasiech.com" "www.aldonasiech.com" ])
|
2020-09-27 13:40:10 +00:00
|
|
|
(servePage [ "apanowicz.de" "www.apanowicz.de" ])
|
2016-06-07 08:43:51 +00:00
|
|
|
(servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
|
2021-09-19 14:47:25 +00:00
|
|
|
(servePage [ "illustra.de" "www.illustra.de" ])
|
2018-06-08 03:02:27 +00:00
|
|
|
(servePage [
|
|
|
|
"freemonkey.art"
|
|
|
|
"www.freemonkey.art"
|
|
|
|
])
|
2016-12-26 13:18:08 +00:00
|
|
|
(serveOwncloud [ "o.ubikmedia.de" ])
|
2016-06-07 18:03:47 +00:00
|
|
|
(serveWordpress [
|
|
|
|
"ubikmedia.de"
|
|
|
|
"nirwanabluete.de"
|
|
|
|
"ubikmedia.eu"
|
2016-06-30 07:17:08 +00:00
|
|
|
"youthtube.xyz"
|
2017-06-20 18:16:36 +00:00
|
|
|
"joemisch.com"
|
2017-12-15 20:33:56 +00:00
|
|
|
"weirdwednesday.de"
|
2019-10-14 13:45:27 +00:00
|
|
|
"jarugadesign.de"
|
2017-12-15 20:33:56 +00:00
|
|
|
|
2016-06-07 18:03:47 +00:00
|
|
|
"www.nirwanabluete.de"
|
|
|
|
"www.ubikmedia.eu"
|
2016-06-30 07:17:08 +00:00
|
|
|
"www.youthtube.xyz"
|
2017-01-10 16:28:04 +00:00
|
|
|
"www.ubikmedia.de"
|
2018-03-18 20:35:27 +00:00
|
|
|
"www.joemisch.com"
|
2017-12-15 20:33:56 +00:00
|
|
|
"www.weirdwednesday.de"
|
2019-10-14 13:45:27 +00:00
|
|
|
"www.jarugadesign.de"
|
2017-12-15 20:33:56 +00:00
|
|
|
|
2017-01-13 12:37:12 +00:00
|
|
|
"aldona2.ubikmedia.de"
|
2017-01-09 16:14:25 +00:00
|
|
|
"cinevita.ubikmedia.de"
|
|
|
|
"factscloud.ubikmedia.de"
|
|
|
|
"illucloud.ubikmedia.de"
|
2017-01-13 12:37:12 +00:00
|
|
|
"joemisch.ubikmedia.de"
|
|
|
|
"karlaskop.ubikmedia.de"
|
|
|
|
"nb.ubikmedia.de"
|
|
|
|
"youthtube.ubikmedia.de"
|
2017-07-04 14:42:41 +00:00
|
|
|
"weirdwednesday.ubikmedia.de"
|
|
|
|
"freemonkey.ubikmedia.de"
|
|
|
|
"jarugadesign.ubikmedia.de"
|
2018-03-18 20:35:27 +00:00
|
|
|
"crypto4art.ubikmedia.de"
|
2019-10-14 13:45:27 +00:00
|
|
|
"jarugadesign.ubikmedia.de"
|
2016-06-07 18:03:47 +00:00
|
|
|
])
|
2016-04-09 12:21:39 +00:00
|
|
|
];
|
2015-12-12 17:21:50 +00:00
|
|
|
|
2018-10-23 13:44:33 +00:00
|
|
|
services.mysql.ensureDatabases = [ "ubikmedia_de" "o_ubikmedia_de" ];
|
|
|
|
services.mysql.ensureUsers = [
|
|
|
|
{ ensurePermissions = { "ubikmedia_de.*" = "ALL"; }; name = "nginx"; }
|
|
|
|
{ ensurePermissions = { "o_ubikmedia_de.*" = "ALL"; }; name = "nginx"; }
|
|
|
|
];
|
|
|
|
|
2016-12-26 13:18:08 +00:00
|
|
|
services.nginx.virtualHosts."ubikmedia.de".locations."/piwika".extraConfig = ''
|
|
|
|
try_files $uri $uri/ /index.php?$args;
|
|
|
|
'';
|
2016-07-08 12:07:56 +00:00
|
|
|
|
2016-05-31 22:13:19 +00:00
|
|
|
lass.mysqlBackup.config.all.databases = [
|
|
|
|
"ubikmedia_de"
|
|
|
|
"o_ubikmedia_de"
|
|
|
|
];
|
2016-04-11 14:50:49 +00:00
|
|
|
|
2016-10-11 15:50:42 +00:00
|
|
|
services.phpfpm.phpOptions = ''
|
|
|
|
sendmail_path = ${sendmail} -t
|
|
|
|
upload_max_filesize = 100M
|
|
|
|
post_max_size = 100M
|
|
|
|
file_uploads = on
|
2016-07-07 20:06:10 +00:00
|
|
|
'';
|
2016-07-21 17:47:42 +00:00
|
|
|
|
2021-09-19 14:48:05 +00:00
|
|
|
krebs.secret.files.nextcloud_pw = {
|
|
|
|
path = "/run/nextcloud.pw";
|
|
|
|
owner.name = "nextcloud";
|
|
|
|
group-name = "nextcloud";
|
|
|
|
source-path = toString <secrets> + "/nextcloud_pw";
|
|
|
|
};
|
2019-01-04 15:35:09 +00:00
|
|
|
services.nextcloud = {
|
|
|
|
enable = true;
|
|
|
|
hostName = "o.xanf.org";
|
2020-12-21 16:56:00 +00:00
|
|
|
package = pkgs.nextcloud20;
|
2019-01-04 15:35:09 +00:00
|
|
|
config = {
|
2021-09-19 14:48:05 +00:00
|
|
|
adminpassFile = "/run/nextcloud.pw";
|
2019-05-29 13:49:10 +00:00
|
|
|
overwriteProtocol = "https";
|
2019-01-04 15:35:09 +00:00
|
|
|
};
|
2019-04-07 17:24:41 +00:00
|
|
|
https = true;
|
2019-01-04 15:35:09 +00:00
|
|
|
};
|
|
|
|
services.nginx.virtualHosts."o.xanf.org" = {
|
|
|
|
enableACME = true;
|
|
|
|
forceSSL = true;
|
|
|
|
};
|
|
|
|
|
2016-07-21 17:47:42 +00:00
|
|
|
# MAIL STUFF
|
|
|
|
# TODO: make into its own module
|
2020-09-27 13:40:34 +00:00
|
|
|
|
|
|
|
# workaround for android 7
|
|
|
|
security.acme.certs."lassul.us".keyType = "rsa4096";
|
|
|
|
|
2016-09-08 19:23:51 +00:00
|
|
|
services.dovecot2 = {
|
|
|
|
enable = true;
|
|
|
|
mailLocation = "maildir:~/Mail";
|
|
|
|
sslServerCert = "/var/lib/acme/lassul.us/fullchain.pem";
|
|
|
|
sslServerKey = "/var/lib/acme/lassul.us/key.pem";
|
|
|
|
};
|
|
|
|
krebs.iptables.tables.filter.INPUT.rules = [
|
|
|
|
{ predicate = "-p tcp --dport pop3s"; target = "ACCEPT"; }
|
|
|
|
{ predicate = "-p tcp --dport imaps"; target = "ACCEPT"; }
|
|
|
|
];
|
|
|
|
|
2016-07-21 17:47:42 +00:00
|
|
|
krebs.exim-smarthost = {
|
2016-09-08 19:23:51 +00:00
|
|
|
authenticators.PLAIN = ''
|
|
|
|
driver = plaintext
|
2016-10-27 12:19:26 +00:00
|
|
|
public_name = PLAIN
|
2019-04-17 18:16:06 +00:00
|
|
|
server_condition = ''${run{/run/wrappers/bin/shadow_verify_arg ${config.lass.usershadow.pattern} $auth2 $auth3}{yes}{no}}
|
2016-09-08 19:23:51 +00:00
|
|
|
'';
|
|
|
|
authenticators.LOGIN = ''
|
|
|
|
driver = plaintext
|
2016-10-27 12:19:26 +00:00
|
|
|
public_name = LOGIN
|
2016-09-08 19:23:51 +00:00
|
|
|
server_prompts = "Username:: : Password::"
|
2016-10-27 12:19:26 +00:00
|
|
|
server_condition = ''${run{${config.lass.usershadow.path}/bin/verify_arg ${config.lass.usershadow.pattern} $auth1 $auth2}{yes}{no}}
|
2016-09-08 19:23:51 +00:00
|
|
|
'';
|
2016-07-21 17:47:42 +00:00
|
|
|
internet-aliases = [
|
2017-01-21 17:38:32 +00:00
|
|
|
{ from = "dma@ubikmedia.de"; to = "domsen"; }
|
|
|
|
{ from = "dma@ubikmedia.eu"; to = "domsen"; }
|
2017-10-26 17:16:24 +00:00
|
|
|
{ from = "mail@habsys.de"; to = "domsen"; }
|
|
|
|
{ from = "mail@habsys.eu"; to = "domsen"; }
|
2020-09-27 13:41:35 +00:00
|
|
|
{ from = "hallo@apanowicz.de"; to = "domsen"; }
|
2017-07-31 11:49:43 +00:00
|
|
|
{ from = "bruno@apanowicz.de"; to = "bruno"; }
|
2016-07-21 17:47:42 +00:00
|
|
|
{ from = "mail@jla-trading.com"; to = "jla-trading"; }
|
2017-01-21 17:38:32 +00:00
|
|
|
{ from = "jms@ubikmedia.eu"; to = "jms"; }
|
|
|
|
{ from = "ms@ubikmedia.eu"; to = "ms"; }
|
2017-02-05 08:35:31 +00:00
|
|
|
{ from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; }
|
2018-12-16 15:36:13 +00:00
|
|
|
{ from = "kontakt@alewis.de"; to ="klabusterbeere"; }
|
2019-05-29 13:48:42 +00:00
|
|
|
{ from = "hallo@jarugadesign.de"; to ="kasia"; }
|
2017-01-21 17:38:32 +00:00
|
|
|
|
|
|
|
{ from = "testuser@lassul.us"; to = "testuser"; }
|
2017-04-11 18:01:03 +00:00
|
|
|
{ from = "testuser@ubikmedia.eu"; to = "testuser"; }
|
2016-07-21 17:47:42 +00:00
|
|
|
];
|
2016-10-27 12:19:26 +00:00
|
|
|
sender_domains = [
|
|
|
|
"jla-trading.com"
|
2017-01-21 17:38:32 +00:00
|
|
|
"ubikmedia.eu"
|
2017-03-16 14:09:57 +00:00
|
|
|
"ubikmedia.de"
|
2020-09-27 13:41:35 +00:00
|
|
|
"apanowicz.de"
|
2018-12-17 08:33:45 +00:00
|
|
|
"alewis.de"
|
2019-05-29 13:48:42 +00:00
|
|
|
"jarugadesign.de"
|
2016-07-21 17:47:42 +00:00
|
|
|
];
|
2020-09-27 13:41:35 +00:00
|
|
|
dkim = [
|
|
|
|
{ domain = "ubikmedia.eu"; }
|
|
|
|
{ domain = "apanowicz.de"; }
|
|
|
|
];
|
2016-09-08 19:23:51 +00:00
|
|
|
ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
|
|
|
|
ssl_key = "/var/lib/acme/lassul.us/key.pem";
|
2016-07-21 17:47:42 +00:00
|
|
|
};
|
|
|
|
|
2019-01-22 15:32:18 +00:00
|
|
|
users.users.UBIK-SFTP = {
|
|
|
|
uid = genid_uint31 "UBIK-SFTP";
|
|
|
|
home = "/home/UBIK-SFTP";
|
|
|
|
useDefaultShell = true;
|
|
|
|
createHome = true;
|
2021-06-05 12:33:57 +00:00
|
|
|
isNormalUser = true;
|
2019-01-22 15:32:18 +00:00
|
|
|
};
|
|
|
|
|
2018-11-20 00:15:56 +00:00
|
|
|
users.users.xanf = {
|
|
|
|
uid = genid_uint31 "xanf";
|
2020-10-29 10:50:16 +00:00
|
|
|
group = "xanf";
|
2018-11-20 00:15:56 +00:00
|
|
|
home = "/home/xanf";
|
|
|
|
useDefaultShell = true;
|
|
|
|
createHome = true;
|
2021-06-05 12:33:57 +00:00
|
|
|
isNormalUser = true;
|
2018-11-20 00:15:56 +00:00
|
|
|
};
|
|
|
|
|
2016-07-21 17:47:42 +00:00
|
|
|
users.users.domsen = {
|
2018-08-09 12:38:06 +00:00
|
|
|
uid = genid_uint31 "domsen";
|
2016-07-21 17:47:42 +00:00
|
|
|
description = "maintenance acc for domsen";
|
|
|
|
home = "/home/domsen";
|
|
|
|
useDefaultShell = true;
|
2021-06-05 12:33:57 +00:00
|
|
|
extraGroups = [ "syncthing" "download" "xanf" ];
|
2016-07-21 17:47:42 +00:00
|
|
|
createHome = true;
|
2021-06-05 12:33:57 +00:00
|
|
|
isNormalUser = true;
|
2016-07-21 17:47:42 +00:00
|
|
|
};
|
|
|
|
|
2017-07-31 11:49:43 +00:00
|
|
|
users.users.bruno = {
|
2018-08-09 12:38:06 +00:00
|
|
|
uid = genid_uint31 "bruno";
|
2017-07-31 11:49:43 +00:00
|
|
|
home = "/home/bruno";
|
|
|
|
useDefaultShell = true;
|
|
|
|
createHome = true;
|
2021-06-05 12:33:57 +00:00
|
|
|
isNormalUser = true;
|
2017-07-31 11:49:43 +00:00
|
|
|
};
|
|
|
|
|
2016-07-21 17:47:42 +00:00
|
|
|
users.users.jla-trading = {
|
2018-08-09 12:38:06 +00:00
|
|
|
uid = genid_uint31 "jla-trading";
|
2016-07-21 17:47:42 +00:00
|
|
|
home = "/home/jla-trading";
|
|
|
|
useDefaultShell = true;
|
|
|
|
createHome = true;
|
2021-06-05 12:33:57 +00:00
|
|
|
isNormalUser = true;
|
2016-07-21 17:47:42 +00:00
|
|
|
};
|
2017-01-21 17:38:32 +00:00
|
|
|
|
|
|
|
users.users.jms = {
|
2018-08-09 12:38:06 +00:00
|
|
|
uid = genid_uint31 "jms";
|
2017-01-21 17:38:32 +00:00
|
|
|
home = "/home/jms";
|
|
|
|
useDefaultShell = true;
|
|
|
|
createHome = true;
|
2021-06-05 12:33:57 +00:00
|
|
|
isNormalUser = true;
|
2017-01-21 17:38:32 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
users.users.ms = {
|
2018-08-09 12:38:06 +00:00
|
|
|
uid = genid_uint31 "ms";
|
2017-01-21 17:38:32 +00:00
|
|
|
home = "/home/ms";
|
|
|
|
useDefaultShell = true;
|
|
|
|
createHome = true;
|
2021-06-05 12:33:57 +00:00
|
|
|
isNormalUser = true;
|
2017-01-21 17:38:32 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
users.users.testuser = {
|
2018-08-09 12:38:06 +00:00
|
|
|
uid = genid_uint31 "testuser";
|
2017-01-21 17:38:32 +00:00
|
|
|
home = "/home/testuser";
|
|
|
|
useDefaultShell = true;
|
|
|
|
createHome = true;
|
2021-06-05 12:33:57 +00:00
|
|
|
isNormalUser = true;
|
2017-01-21 17:38:32 +00:00
|
|
|
};
|
2017-03-25 21:49:50 +00:00
|
|
|
|
2021-06-05 12:33:57 +00:00
|
|
|
#users.users.akayguen = {
|
|
|
|
# uid = genid_uint31 "akayguen";
|
|
|
|
# home = "/home/akayguen";
|
|
|
|
# useDefaultShell = true;
|
|
|
|
# createHome = true;
|
|
|
|
# isNormalUser = true;
|
|
|
|
#};
|
2018-05-14 20:09:50 +00:00
|
|
|
|
2018-07-13 14:34:36 +00:00
|
|
|
users.users.bui = {
|
2018-08-09 12:38:06 +00:00
|
|
|
uid = genid_uint31 "bui";
|
2018-07-13 14:34:36 +00:00
|
|
|
home = "/home/bui";
|
|
|
|
useDefaultShell = true;
|
|
|
|
createHome = true;
|
2021-06-05 12:33:57 +00:00
|
|
|
isNormalUser = true;
|
2018-07-13 14:34:36 +00:00
|
|
|
};
|
|
|
|
|
2018-12-16 15:36:13 +00:00
|
|
|
users.users.klabusterbeere = {
|
|
|
|
uid = genid_uint31 "klabusterbeere";
|
|
|
|
home = "/home/klabusterbeere";
|
|
|
|
useDefaultShell = true;
|
|
|
|
createHome = true;
|
2021-06-05 12:33:57 +00:00
|
|
|
isNormalUser = true;
|
2018-12-16 15:36:13 +00:00
|
|
|
};
|
|
|
|
|
2019-05-29 13:48:42 +00:00
|
|
|
users.users.kasia = {
|
|
|
|
uid = genid_uint31 "kasia";
|
|
|
|
home = "/home/kasia";
|
|
|
|
useDefaultShell = true;
|
|
|
|
createHome = true;
|
2021-06-05 12:33:57 +00:00
|
|
|
isNormalUser = true;
|
2019-05-29 13:48:42 +00:00
|
|
|
};
|
2019-05-29 13:49:29 +00:00
|
|
|
|
2020-10-29 10:50:16 +00:00
|
|
|
users.users.XANF_TEAM = {
|
|
|
|
uid = genid_uint31 "XANF_TEAM";
|
|
|
|
group = "xanf";
|
|
|
|
home = "/home/XANF_TEAM";
|
|
|
|
useDefaultShell = true;
|
|
|
|
createHome = true;
|
2021-06-05 12:33:57 +00:00
|
|
|
isNormalUser = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
users.users.dif = {
|
|
|
|
uid = genid_uint31 "dif";
|
|
|
|
home = "/home/dif";
|
|
|
|
useDefaultShell = true;
|
|
|
|
extraGroups = [ "xanf" ];
|
|
|
|
createHome = true;
|
|
|
|
isNormalUser = true;
|
|
|
|
};
|
|
|
|
|
|
|
|
users.users.lavafilms = {
|
|
|
|
uid = genid_uint31 "lavafilms";
|
|
|
|
home = "/home/lavafilms";
|
|
|
|
useDefaultShell = true;
|
|
|
|
extraGroups = [ "xanf" ];
|
|
|
|
createHome = true;
|
|
|
|
isNormalUser = true;
|
2020-10-29 10:50:16 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
users.groups.xanf = {};
|
|
|
|
|
2019-05-29 13:49:29 +00:00
|
|
|
krebs.on-failure.plans.restic-backups-domsen = {
|
|
|
|
journalctl = {
|
|
|
|
lines = 1000;
|
|
|
|
};
|
|
|
|
};
|
2019-10-14 13:45:27 +00:00
|
|
|
|
2019-01-22 15:32:48 +00:00
|
|
|
services.restic.backups.domsen = {
|
|
|
|
initialize = true;
|
2019-10-14 13:45:27 +00:00
|
|
|
repository = "/backups/domsen";
|
2019-01-22 15:32:48 +00:00
|
|
|
passwordFile = toString <secrets> + "/domsen_backup_pw";
|
2019-04-07 17:24:16 +00:00
|
|
|
timerConfig = { OnCalendar = "00:05"; RandomizedDelaySec = "5h"; };
|
2019-01-22 15:32:48 +00:00
|
|
|
paths = [
|
|
|
|
"/home/domsen/Mail"
|
|
|
|
"/home/ms/Mail"
|
|
|
|
"/home/klabusterbeere/Mail"
|
|
|
|
"/home/jms/Mail"
|
2019-05-29 13:49:45 +00:00
|
|
|
"/home/kasia/Mail"
|
2019-01-22 15:32:48 +00:00
|
|
|
"/home/bruno/Mail"
|
|
|
|
"/home/akayguen/Mail"
|
|
|
|
"/backups/sql_dumps"
|
|
|
|
];
|
|
|
|
};
|
|
|
|
|
2020-04-08 10:33:08 +00:00
|
|
|
services.syncthing.declarative.folders = {
|
2019-10-14 13:45:27 +00:00
|
|
|
domsen-backups = {
|
|
|
|
path = "/backups/domsen";
|
2020-04-08 10:33:08 +00:00
|
|
|
devices = [ "domsen-backup" ];
|
2019-10-14 13:45:27 +00:00
|
|
|
};
|
|
|
|
domsen-backup-srv-http = {
|
|
|
|
path = "/srv/http";
|
2020-04-08 10:33:08 +00:00
|
|
|
devices = [ "domsen-backup" ];
|
2019-10-14 13:45:27 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
system.activationScripts.domsen-backups = ''
|
|
|
|
${pkgs.coreutils}/bin/chmod 750 /backups
|
|
|
|
'';
|
|
|
|
|
2019-05-29 13:49:45 +00:00
|
|
|
krebs.permown = {
|
2019-10-14 13:45:27 +00:00
|
|
|
"/backups/domsen" = {
|
|
|
|
owner = "backup";
|
|
|
|
group = "syncthing";
|
2019-05-29 13:49:45 +00:00
|
|
|
umask = "0007";
|
|
|
|
};
|
2019-10-14 13:45:27 +00:00
|
|
|
"/srv/http" = {
|
|
|
|
owner = "syncthing";
|
2019-05-29 13:49:45 +00:00
|
|
|
group = "nginx";
|
|
|
|
umask = "0007";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2015-12-12 17:21:50 +00:00
|
|
|
}
|
|
|
|
|