Merge remote-tracking branch 'lass/master'

2016-12-28 03:40:28 +01:00 · 2016-12-28 03:40:28 +01:00 · c422632d03
commit c422632d03
parent 096d83fe89 0d61093e18
23 changed files with 434 additions and 818 deletions
--- a/krebs/3modules/lass/default.nix
+++ b/krebs/3modules/lass/default.nix
@ -298,6 +298,7 @@ with import <stockholm/lib>;
          '';
        };
      };
+      secure = true;
      ssh.privkey.path = <secrets/ssh.id_ed25519>;
      ssh.pubkey = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOPgQIMYiyD4/Co+nlOQWEzCKssemOEXAY/lbIZZaMhj";
    };
--- a/krebs/3modules/realwallpaper.nix
+++ b/krebs/3modules/realwallpaper.nix
@ -24,7 +24,7 @@ let

    daymap = mkOption {
      type = types.str;
-      default = "http://www.nnvl.noaa.gov/images/globaldata/SnowIceCover_Daily.png";
+      default = "https://www.nnvl.noaa.gov/images/globaldata/SnowIceCover_Daily.png";
    };

    cloudmap = mkOption {
--- a/krebs/5pkgs/git-hooks/default.nix
+++ b/krebs/5pkgs/git-hooks/default.nix
@ -108,67 +108,5 @@ let
    fi
  '';

-  irc-announce-script = pkgs.writeDash "irc-announce-script" ''
-    set -euf
-
-    export PATH=${makeSearchPath "bin" (with pkgs; [
-      coreutils
-      gawk
-      gnused
-      netcat
-      nettools
-    ])}
-
-    IRC_SERVER=$1
-    IRC_PORT=$2
-    IRC_NICK=$3$$
-    IRC_CHANNEL=$4
-    message=$5
-
-    export IRC_CHANNEL # for privmsg_cat
-
-    # echo2 and cat2 are used output to both, stdout and stderr
-    # This is used to see what we send to the irc server. (debug output)
-    echo2() { echo "$*"; echo "$*" >&2; }
-    cat2() { tee /dev/stderr; }
-
-    # privmsg_cat transforms stdin to a privmsg
-    privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; }
-
-    # ircin is used to feed the output of netcat back to the "irc client"
-    # so we can implement expect-like behavior with sed^_^
-    # XXX mkselfdestructingtmpfifo would be nice instead of this cruft
-    tmpdir="$(mktemp -d irc-announce_XXXXXXXX)"
-    cd "$tmpdir"
-    mkfifo ircin
-    trap "
-      rm ircin
-      cd '$OLDPWD'
-      rmdir '$tmpdir'
-      trap - EXIT INT QUIT
-    " EXIT INT QUIT
-
-    {
-      echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)"
-      echo2 "NICK $IRC_NICK"
-
-      # wait for MODE message
-      sed -n '/^:[^ ]* MODE /q'
-
-      echo2 "JOIN $IRC_CHANNEL"
-
-      printf '%s' "$message" \
-        | privmsg_cat \
-        | cat2
-
-      echo2 "PART $IRC_CHANNEL"
-
-      # wait for PART confirmation
-      sed -n '/:'"$IRC_NICK"'![^ ]* PART /q'
-
-      echo2 'QUIT :Gone to have lunch'
-    } < ircin \
-      | nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin
-  '';
-
+  irc-announce-script = "${pkgs.irc-announce}/bin/irc-announce";
 in out
--- a/krebs/5pkgs/irc-announce/default.nix
+++ b/krebs/5pkgs/irc-announce/default.nix
@ -0,0 +1,68 @@
+{ pkgs, lib, ... }:
+
+with lib;
+
+pkgs.writeDashBin "irc-announce" ''
+  set -euf
+
+  export PATH=${makeSearchPath "bin" (with pkgs; [
+    coreutils
+    gawk
+    gnused
+    netcat
+    nettools
+  ])}
+
+  IRC_SERVER=$1
+  IRC_PORT=$2
+  IRC_NICK=$3$$
+  IRC_CHANNEL=$4
+  message=$5
+
+  export IRC_CHANNEL # for privmsg_cat
+
+  # echo2 and cat2 are used output to both, stdout and stderr
+  # This is used to see what we send to the irc server. (debug output)
+  echo2() { echo "$*"; echo "$*" >&2; }
+  cat2() { tee /dev/stderr; }
+
+  # privmsg_cat transforms stdin to a privmsg
+  privmsg_cat() { awk '{ print "PRIVMSG "ENVIRON["IRC_CHANNEL"]" :"$0 }'; }
+
+  # we cd to /tmp here to be able to create a tmpdir in the first place
+  cd /tmp
+  # ircin is used to feed the output of netcat back to the "irc client"
+  # so we can implement expect-like behavior with sed^_^
+  # XXX mkselfdestructingtmpfifo would be nice instead of this cruft
+  tmpdir="$(mktemp -d irc-announce_XXXXXXXX)"
+  cd "$tmpdir"
+  mkfifo ircin
+  trap "
+    rm ircin
+    cd '$OLDPWD'
+    rmdir '$tmpdir'
+    trap - EXIT INT QUIT
+  " EXIT INT QUIT
+
+  {
+    echo2 "USER $LOGNAME 0 * :$LOGNAME@$(hostname)"
+    echo2 "NICK $IRC_NICK"
+
+    # wait for MODE message
+    sed -n '/^:[^ ]* MODE /q'
+
+    echo2 "JOIN $IRC_CHANNEL"
+
+    printf '%s' "$message" \
+      | privmsg_cat \
+      | cat2
+
+    echo2 "PART $IRC_CHANNEL"
+
+    # wait for PART confirmation
+    sed -n '/:'"$IRC_NICK"'![^ ]* PART /q'
+
+    echo2 'QUIT :Gone to have lunch'
+  } < ircin \
+    | nc "$IRC_SERVER" "$IRC_PORT" | tee -a ircin
+''
--- a/lass/1systems/mors.nix
+++ b/lass/1systems/mors.nix
@ -17,7 +17,6 @@ with import <stockholm/lib>;
    ../2configs/steam.nix
    ../2configs/wine.nix
    ../2configs/git.nix
-    ../2configs/skype.nix
    ../2configs/libvirt.nix
    ../2configs/fetchWallpaper.nix
    #../2configs/c-base.nix
@ -66,20 +65,18 @@ with import <stockholm/lib>;
      };
    }
    {
-      krebs.nginx = {
+      services.nginx = {
        enable = true;
-        servers.default = {
-          server-names = [
+        virtualHosts.default = {
+          serverAliases = [
            "localhost"
            "${config.krebs.build.host.name}"
            "${config.krebs.build.host.name}.r"
            "${config.krebs.build.host.name}.retiolum"
          ];
-          locations = [
-            (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
-              alias /home/$1/public_html$2;
-            '')
-          ];
+          locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
+            alias /home/$1/public_html$2;
+          '';
        };
      };
    }
@ -89,6 +86,137 @@ with import <stockholm/lib>;
    {
      virtualisation.libvirtd.enable = true;
    }
+    {
+      services.nginx = {
+        enable = mkDefault true;
+        virtualHosts = {
+          "stats.mors" = {
+            locations = {
+              "/"  = {
+                proxyPass  = "http://localhost:3000/";
+                extraConfig = ''
+                  proxy_set_header   Host             $host;
+                  proxy_set_header   X-Real-IP        $remote_addr;
+                  proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
+                '';
+              };
+            };
+          };
+        };
+      };
+
+      services.grafana = {
+        enable = true;
+        addr = "127.0.0.1";
+        users.allowSignUp = false;
+        users.allowOrgCreate = false;
+        users.autoAssignOrg = false;
+        auth.anonymous.enable = true;
+        security = import <secrets/grafana_security.nix>; # { AdminUser = ""; adminPassword = ""}
+      };
+
+      services.graphite = {
+        api = {
+          enable = true;
+          listenAddress = "127.0.0.1";
+          port = 18080;
+        };
+        carbon = {
+          enableCache = true;
+          # save disk usage by restricting to 1 bulk update per second
+          config = ''
+            [cache]
+            MAX_CACHE_SIZE = inf
+            MAX_UPDATES_PER_SECOND = 1
+            MAX_CREATES_PER_MINUTE = 500
+            '';
+          storageSchemas = ''
+            [carbon]
+            pattern = ^carbon\.
+            retentions = 60:90d
+
+            [elchos]
+            patterhn = ^elchos\.
+            retentions = 10s:30d,60s:3y
+
+            [default]
+            pattern = .*
+            retentions = 30s:30d,300s:1y
+            '';
+        };
+      };
+
+      services.collectd = {
+        enable = true;
+        include = [ (toString (pkgs.writeText "collectd-graphite-cfg" ''
+          LoadPlugin write_graphite
+          <Plugin "write_graphite">
+            <Carbon>
+              Host "localhost"
+              Port "2003"
+              EscapeCharacter "_"
+              StoreRates false
+              AlwaysAppendDS false
+            </Carbon>
+          </Plugin>
+        ''))
+        ];
+        extraConfig = ''
+          LoadPlugin interface
+          LoadPlugin battery
+          LoadPlugin load
+          LoadPlugin cpu
+          LoadPlugin entropy
+          LoadPlugin write_graphite
+          <Plugin "interface">
+            Interface "et0"
+            Interface "wl0"
+            Interface "retiolum"
+          </Plugin>
+        '';
+      };
+      services.graphite.beacon = {
+        enable = true;
+        config = {
+          graphite_url = "http://localhost:18080";
+          cli = {
+            command = ''${pkgs.irc-announce}/bin/irc-announce irc.freenode.org 6667 mors-beacon-alert \#krebs ' ''${level} ''${name} ''${value}' '';
+          };
+          smtp = {
+            from = "beacon@mors.r";
+            to = [
+              "lass@mors.r"
+            ];
+          };
+          normal_handlers = [
+            "smtp"
+            "cli"
+          ];
+          warning_handlers = [
+            "smtp"
+            "cli"
+          ];
+          critical_handlers = [
+            "smtp"
+            "cli"
+          ];
+          alerts = [
+            {
+              name = "testbattery";
+              query = "*.battery-0.capacity";
+              method = "last_value";
+              interval = "1minute";
+              logging = "info";
+              repeat_interval = "5minute";
+              rules = [
+                "warning: < 30.0"
+                "critical: < 10.0"
+              ];
+            }
+          ];
+        };
+      };
+    }
  ];

  krebs.build.host = config.krebs.hosts.mors;
@ -238,8 +366,4 @@ with import <stockholm/lib>;
  krebs.repo-sync.timerConfig = {
    OnCalendar = "00:37";
  };
-
-  services.mongodb = {
-    enable = true;
-  };
 }
--- a/lass/1systems/prism.nix
+++ b/lass/1systems/prism.nix
@ -24,6 +24,8 @@ in {
    ../2configs/repo-sync.nix
    ../2configs/binary-cache/server.nix
    ../2configs/iodined.nix
+    ../2configs/libvirt.nix
+    ../2configs/hfos.nix
    {
      users.extraGroups = {
        # ● systemd-tmpfiles-setup.service - Create Volatile Files and Directories
@ -178,11 +180,9 @@ in {
      imports = [
        ../2configs/realwallpaper.nix
      ];
-      krebs.nginx.servers."lassul.us".locations = [
-        (lib.nameValuePair "/wallpaper.png" ''
-          alias /tmp/wallpaper.png;
-        '')
-      ];
+      services.nginx.virtualHosts."lassul.us".locations."/wallpaper.png".extraConfig = ''
+        alias /tmp/wallpaper.png;
+      '';
    }
    {
      environment.systemPackages = with pkgs; [
@ -202,16 +202,13 @@ in {
      };
    }
    {
-      krebs.nginx = {
+      services.nginx = {
        enable = true;
-        servers.public = {
-          listen = [ "8088" ];
-          server-names = [ "default" ];
-          locations = [
-            (nameValuePair "~ ^/~(.+?)(/.*)?\$" ''
-              alias /home/$1/public_html$2;
-            '')
-          ];
+        virtualHosts.public = {
+          port = 8088;
+          locations."~ ^/~(.+?)(/.*)?\$".extraConfig = ''
+            alias /home/$1/public_html$2;
+          '';
        };
      };
      krebs.iptables.tables.filter.INPUT.rules = [
@ -228,10 +225,6 @@ in {
        enable = true;
      };
    }
-    {
-      virtualisation.libvirtd.enable = true;
-      users.users.mainUser.extraGroups = [ "libvirtd" ];
-    }
  ];

  krebs.build.host = config.krebs.hosts.prism;
--- a/lass/2configs/binary-cache/server.nix
+++ b/lass/2configs/binary-cache/server.nix
@ -17,13 +17,13 @@
    owner.name = "nix-serve";
    source-path = toString <secrets> + "/nix-serve.key";
  };
-  krebs.nginx = {
+  services.nginx = {
    enable = true;
-    servers.nix-serve = {
-      server-names = [ "cache.prism.r" ];
-      locations = lib.singleton (lib.nameValuePair "/" ''
+    virtualHosts.nix-serve = {
+      serverAliases = [ "cache.prism.r" ];
+      locations."/".extraConfig = ''
        proxy_pass http://localhost:${toString config.services.nix-serve.port};
-      '');
+      '';
    };
  };
 }
--- a/lass/2configs/downloading.nix
+++ b/lass/2configs/downloading.nix
@ -40,9 +40,8 @@ with import <stockholm/lib>;
    enable = true;
    web = {
      enable = true;
-      enableAuth = true;
-      listenAddress = "9091";
-      authfile = <secrets/torrent-authfile>;
+      port = 9091;
+      basicAuth = import <secrets/torrent-auth>;
    };
    rutorrent.enable = true;
    enableXMLRPC = true;
--- a/lass/2configs/go.nix
+++ b/lass/2configs/go.nix
@ -8,16 +8,14 @@ with import <stockholm/lib>;
  krebs.go = {
    enable = true;
  };
-  krebs.nginx = {
+  services.nginx = {
    enable = true;
-    servers.go = {
-      locations = [
-        (nameValuePair "/" ''
-          proxy_set_header Host go;
-          proxy_pass http://localhost:1337;
-        '')
-      ];
-      server-names = [
+    virtualHosts.go = {
+      locations."/".extraConfig = ''
+        proxy_set_header Host go;
+        proxy_pass http://localhost:1337;
+      '';
+      serverAliases = [
        "go"
        "go.retiolum"
      ];
--- a/lass/2configs/hfos.nix
+++ b/lass/2configs/hfos.nix
@ -0,0 +1,33 @@
+{ config, lib, pkgs, ... }:
+
+with import <stockholm/lib>;
+{
+  users.users.riot = {
+    uid = genid "riot";
+    isNormalUser = true;
+    extraGroups = [ "libvirtd" ];
+    openssh.authorizedKeys.keys = [
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC5NnADMRySix1kcxQwseHfem/SCDmkbvwc+ZZu7HFz4zss1k4Fh1knsukMY83zlno8p/8bBPWyixLTxuZHNy26af8GP95bvV3brnpRmrijkE4dOlpd+wvPcIyTKNunJvMzNDP/ry9g2GczEZKGWvQZudq/nI54HaCaRWM2kzEMEg8Rr9SGlZEKo8B+8HGVsz1a8USOnm8dqYP9dmfLdpy/s+7yWJSPh8wokvWeOOrahirOhO99ZfXm2gcdHqSKvbD2+4EYEm5w8iFrbYBT2wZ3u9ZOiooL/JuEBBdnDrcqZqeaTw0vOdKPvkUP8/rzRjvIwSkynMSD8fixpdGRNeIB riot@lagrange"
+      config.krebs.users.lass.pubkey
+    ];
+  };
+
+  networking.interfaces.et0.ip4 = [
+    {
+      address = "213.239.205.246";
+      prefixLength = 24;
+    }
+  ];
+
+  krebs.iptables.tables.nat.PREROUTING.rules = [
+    { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 22"; target = "DNAT --to-destination 192.168.122.208:22"; }
+    { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 80"; target = "DNAT --to-destination 192.168.122.208:1080"; }
+    { v6 = false; precedence = 1000; predicate = "-d 213.239.205.246 -p tcp --dport 443"; target = "DNAT --to-destination 192.168.122.208:1443"; }
+  ];
+
+  krebs.iptables.tables.filter.FORWARD.rules = [
+    { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 22 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
+    { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1080 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
+    { v6 = false; precedence = 1000; predicate = "-d 192.168.122.208 -p tcp --dport 1443 -m state --state NEW,ESTABLISHED,RELATED"; target = "ACCEPT"; }
+  ];
+}
--- a/lass/2configs/libvirt.nix
+++ b/lass/2configs/libvirt.nix
@ -1,23 +1,30 @@
 { config, lib, pkgs, ... }:

-let
-  mainUser = config.users.extraUsers.mainUser;
-  inherit (import <stockholm/lib>) genid;
-
-in {
+{
+  users.users.mainUser.extraGroups = [ "libvirtd" ];
  virtualisation.libvirtd.enable = true;

-  users.extraUsers = {
-    libvirt = {
-      uid = genid "libvirt";
-      description = "user for running libvirt stuff";
-      home = "/home/libvirt";
-      useDefaultShell = true;
-      extraGroups = [ "libvirtd" "audio" ];
-      createHome = true;
-    };
-  };
-  security.sudo.extraConfig = ''
-    ${mainUser.name} ALL=(libvirt) NOPASSWD: ALL
-  '';
+  krebs.iptables.tables.filter.INPUT.rules = [
+    { v6 = false; predicate = "-i virbr0 -p udp -m udp --dport 53"; target = "ACCEPT"; }
+    { v6 = false; predicate = "-i virbr0 -p tcp -m tcp --dport 53"; target = "ACCEPT"; }
+    { v6 = false; predicate = "-i virbr0 -p udp -m udp --dport 67"; target = "ACCEPT"; }
+    { v6 = false; predicate = "-i virbr0 -p tcp -m tcp --dport 67"; target = "ACCEPT"; }
+  ];
+  krebs.iptables.tables.filter.FORWARD.rules = [
+    { v6 = false; predicate = "-d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED"; target = "ACCEPT"; }
+    { v6 = false; predicate = "-s 192.168.122.0/24 -i virbr0"; target = "ACCEPT"; }
+    { v6 = false; predicate = "-i virbr0 -o virbr0"; target = "ACCEPT"; }
+    { v6 = false; predicate = "-o virbr0"; target = "REJECT --reject-with icmp-port-unreachable"; }
+    { v6 = false; predicate = "-i virbr0"; target = "REJECT --reject-with icmp-port-unreachable"; }
+  ];
+  krebs.iptables.tables.filter.OUTPUT.rules = [
+    { v6 = false; predicate = "-o virbr0 -p udp -m udp --dport 68"; target = "ACCEPT"; }
+  ];
+  krebs.iptables.tables.nat.POSTROUTING.rules = [
+    { v6 = false; predicate = "-s 192.168.122.0/24 -d 224.0.0.0/24"; target = "RETURN"; }
+    { v6 = false; predicate = "-s 192.168.122.0/24 -d 255.255.255.255"; target = "RETURN"; }
+    { v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24"; target = "MASQUERADE"; }
+    { v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp"; target = "MASQUERADE --to-ports 1024-65535"; }
+    { v6 = false; predicate = "-s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp"; target = "MASQUERADE --to-ports 1024-65535"; }
+  ];
 }
--- a/lass/2configs/nixpkgs.nix
+++ b/lass/2configs/nixpkgs.nix
@ -2,7 +2,7 @@

 {
  krebs.build.source.nixpkgs.git = {
-    url = https://github.com/nixos/nixpkgs;
-    ref = "2a97e149e50e1c701a957c6bd060cc74b7e9a905";
+    url = https://github.com/lassulus/nixpkgs;
+    ref = "819c1ab486a9c81d6a6b76c759aedece2df39037";
  };
 }
--- a/lass/2configs/radio.nix
+++ b/lass/2configs/radio.nix
@ -156,7 +156,7 @@ in {
      })
    ];
  };
-  krebs.nginx.servers."lassul.us".locations = let
+  services.nginx.virtualHosts."lassul.us".locations."/the_playlist".extraConfig = let
    html = pkgs.writeText "index.html" ''
      <!DOCTYPE html>
      <html lang="en">
@ -175,10 +175,8 @@ in {
        </body>
      </html>
    '';
-  in [
-    (nameValuePair "/the_playlist" ''
-      default_type "text/html";
-      alias ${html};
-    '')
-  ];
+  in ''
+    default_type "text/html";
+    alias ${html};
+  '';
 }
--- a/lass/2configs/realwallpaper.nix
+++ b/lass/2configs/realwallpaper.nix
@ -9,15 +9,13 @@ let
 in {
  krebs.realwallpaper.enable = true;

-  krebs.nginx.servers.wallpaper = {
-    server-names = [
+  services.nginx.virtualHosts.wallpaper = {
+    serverAliases = [
      hostname
    ];
-    locations = [
-      (nameValuePair "/wallpaper.png" ''
-        root /tmp/;
-      '')
-    ];
+    locations."/wallpaper.png".extraConfig = ''
+      root /tmp/;
+    '';
  };

  krebs.iptables = {
--- a/lass/2configs/tests/dummy-secrets/torrent-auth
+++ b/lass/2configs/tests/dummy-secrets/torrent-auth
@ -0,0 +1,3 @@
+{
+  x = "xxx";
+}
--- a/lass/2configs/tests/dummy-secrets/torrent-authfile
+++ b/lass/2configs/tests/dummy-secrets/torrent-authfile
@ -1 +0,0 @@
-"xxx"
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@ -35,10 +35,10 @@ in {
    (servePage [ "makeup.apanowicz.de" "www.makeup.apanowicz.de" ])

    (ssl [ "pixelpocket.de" ])
-    (servePage [ "pixelpocket.de" "www.pixelpocket.de" ])
+    (servePage [ "pixelpocket.de" ])

    (ssl [ "o.ubikmedia.de" ])
-    (serveOwncloud [ "o.ubikmedia.de" "www.o.ubikmedia.de" ])
+    (serveOwncloud [ "o.ubikmedia.de" ])

    (ssl [
      "ubikmedia.de"
@ -88,15 +88,12 @@ in {
      "www.illucloud.eu"
      "www.illucloud.de"
      "www.illucloud.com"
-      "*.ubikmedia.de"
    ])
  ];

-  krebs.nginx.servers."ubikmedia.de".locations = [
-    (lib.nameValuePair "/piwik" ''
-      try_files $uri $uri/ /index.php?$args;
-    '')
-  ];
+  services.nginx.virtualHosts."ubikmedia.de".locations."/piwika".extraConfig = ''
+    try_files $uri $uri/ /index.php?$args;
+  '';

  lass.mysqlBackup.config.all.databases = [
    "ubikmedia_de"
--- a/lass/2configs/websites/fritz.nix
+++ b/lass/2configs/websites/fritz.nix
@ -7,7 +7,6 @@ let
    head
  ;
  inherit (import <stockholm/lass/2configs/websites/util.nix> {inherit lib pkgs;})
-    manageCerts
    ssl
    servePage
    serveWordpress
@ -26,8 +25,6 @@ let
 in {
  imports = [
    ./sqlBackup.nix
-    (ssl [ "biostase.de" "www.biostase.de" ])
-    (serveWordpress [ "biostase.de" "www.biostase.de" ])

    (ssl [ "radical-dreamers.de" "www.radical-dreamers.de" ])
    (serveWordpress [ "radical-dreamers.de" "www.radical-dreamers.de" ])
@ -50,30 +47,17 @@ in {
    (ssl [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ])
    (servePage [ "habsys.de" "www.habsys.de" "habsys.eu" "www.habsys.eu" ])

-    (manageCerts [ "goldbarrendiebstahl.radical-dreamers.de" ])
+    (ssl [ "goldbarrendiebstahl.radical-dreamers.de" ])
    (serveWordpress [ "goldbarrendiebstahl.radical-dreamers.de" ])
  ];

  lass.mysqlBackup.config.all.databases = [
-    "biostase_de"
    "eastuttgart_de"
    "radical_dreamers_de"
    "spielwaren_kern_de"
    "ttf_kleinaspach_de"
  ];

-  #password protect some dirs
-  krebs.nginx.servers."biostase.de".locations = [
-    (nameValuePair "/old_biostase.de" ''
-      auth_basic "Administrator Login";
-      auth_basic_user_file /srv/http/biostase.de/old_biostase.de/.htpasswd;
-    '')
-    (nameValuePair "/mysqldumper" ''
-      auth_basic "Administrator Login";
-      auth_basic_user_file /srv/http/biostase.de/mysqldumper/.htpasswd;
-    '')
-  ];
-
  users.users.root.openssh.authorizedKeys.keys = [
    config.krebs.users.fritz.pubkey
  ];
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@ -14,7 +14,7 @@ in {
  security.acme = {
    certs."lassul.us" = {
      email = "lass@lassul.us";
-      webroot = "/var/lib/acme/challenges/lassul.us";
+      webroot = "/var/lib/acme/acme-challenges";
      plugins = [
        "account_key.json"
        "key.pem"
@ -26,7 +26,7 @@ in {
    };
    certs."cgit.lassul.us" = {
      email = "lassulus@gmail.com";
-      webroot = "/var/lib/acme/challenges/cgit.lassul.us";
+      webroot = "/var/lib/acme/acme-challenges";
      plugins = [
        "account_key.json"
        "key.pem"
@ -69,59 +69,54 @@ in {
    "nginx"
  ];

-  krebs.nginx.servers."lassul.us" = {
-    server-names = [ "lassul.us" ];
-    locations = [
-      (nameValuePair "/" ''
-        root /srv/http/lassul.us;
-      '')
-      (nameValuePair "/.well-known/acme-challenge" ''
-        root /var/lib/acme/challenges/lassul.us/;
-      '')
-      (nameValuePair "= /retiolum-hosts.tar.bz2" ''
-        alias ${config.krebs.tinc.retiolum.hostsArchive};
-      '')
-      (nameValuePair "/tinc" ''
-        alias ${config.krebs.tinc_graphs.workingDir}/external;
-      '')
-      (let
-        script = pkgs.writeBash "test" ''
-          echo "hello world"
-        '';
-        #script = pkgs.execve "ddate-wrapper" {
-        #  filename = "${pkgs.ddate}/bin/ddate";
-        #  argv = [];
-        #};
-      in nameValuePair "= /ddate" ''
-        gzip off;
-        fastcgi_pass unix:/var/run/lass-stuff.socket;
-        include ${pkgs.nginx}/conf/fastcgi_params;
-        fastcgi_param DOCUMENT_ROOT /var/empty;
-        fastcgi_param SCRIPT_FILENAME ${script};
-        fastcgi_param SCRIPT_NAME ${script};
-      '')
-    ];
-    ssl = {
-      enable = true;
-      certificate = "/var/lib/acme/lassul.us/fullchain.pem";
-      certificate_key = "/var/lib/acme/lassul.us/key.pem";
-    };
+  services.nginx.virtualHosts."lassul.us" = {
+    serverAliases = [ "lassul.us" ];
+    locations."/".extraConfig = ''
+      root /srv/http/lassul.us;
+    '';
+    locations."/.well-known/acme-challenge".extraConfig = ''
+      root /var/lib/acme/challenges/lassul.us/;
+    '';
+    locations."= /retiolum-hosts.tar.bz2".extraConfig = ''
+      alias ${config.krebs.tinc.retiolum.hostsArchive};
+    '';
+    locations."/tinc".extraConfig = ''
+      alias ${config.krebs.tinc_graphs.workingDir}/external;
+    '';
+    locations."= /ddate".extraConfig = let
+      script = pkgs.writeBash "test" ''
+        echo "hello world"
+      '';
+      #script = pkgs.execve "ddate-wrapper" {
+      #  filename = "${pkgs.ddate}/bin/ddate";
+      #  argv = [];
+      #};
+    in ''
+      gzip off;
+      fastcgi_pass unix:/var/run/lass-stuff.socket;
+      include ${pkgs.nginx}/conf/fastcgi_params;
+      fastcgi_param DOCUMENT_ROOT /var/empty;
+      fastcgi_param SCRIPT_FILENAME ${script};
+      fastcgi_param SCRIPT_NAME ${script};
+    '';
+
+    enableSSL = true;
+    extraConfig = "listen 80;";
+    sslCertificate = "/var/lib/acme/lassul.us/fullchain.pem";
+    sslCertificateKey = "/var/lib/acme/lassul.us/key.pem";
  };

-  krebs.nginx.servers.cgit = {
-    server-names = [
+  services.nginx.virtualHosts.cgit = {
+    serverAliases = [
      "cgit.lassul.us"
    ];
-    locations = [
-      (nameValuePair "/.well-known/acme-challenge" ''
-        root /var/lib/acme/challenges/cgit.lassul.us/;
-      '')
-    ];
-    ssl = {
-      enable = true;
-      certificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
-      certificate_key = "/var/lib/acme/cgit.lassul.us/key.pem";
-    };
+    locations."/.well-known/acme-challenge".extraConfig = ''
+      root /var/lib/acme/acme-challenges;
+    '';
+    enableSSL = true;
+    extraConfig = "listen 80;";
+    sslCertificate = "/var/lib/acme/cgit.lassul.us/fullchain.pem";
+    sslCertificateKey = "/var/lib/acme/cgit.lassul.us/key.pem";
  };

  users.users.blog = {
--- a/lass/2configs/websites/util.nix
+++ b/lass/2configs/websites/util.nix
@ -4,66 +4,24 @@ with lib;

 rec {

-  manageCerts = domains:
+  ssl = domains :
    let
      domain = head domains;
    in {
-      #security.acme = {
-      #  certs."${domain}" = {
-      #    email = "lassulus@gmail.com";
-      #    webroot = "/var/lib/acme/challenges/${domain}";
-      #    plugins = [
-      #      "account_key.json"
-      #      "key.pem"
-      #      "fullchain.pem"
-      #    ];
-      #    group = "nginx";
-      #    allowKeysForGroup = true;
-      #    extraDomains = genAttrs domains (_: null);
-      #  };
-      #};
-
-      krebs.nginx.servers."${domain}" = {
-        ssl.acmeEnable = true;
-        server-names = domains;
-        #locations = [
-        #  (nameValuePair "/.well-known/acme-challenge" ''
-        #    root /var/lib/acme/challenges/${domain}/;
-        #  '')
-        #];
-      };
-    };
-
-  ssl = domains:
-    {
-      imports = [
-        ( manageCerts domains )
-        #( activateACME (head domains) )
-      ];
-    };
-
-  activateACME = domain:
-    {
-      krebs.nginx.servers.${domain} = {
-        ssl = {
-          enable = true;
-          certificate = "/var/lib/acme/${domain}/fullchain.pem";
-          certificate_key = "/var/lib/acme/${domain}/key.pem";
-        };
-      };
    };

  servePage = domains:
    let
      domain = head domains;
    in {
-      krebs.nginx.servers.${domain} = {
-        server-names = domains;
-        locations = [
-          (nameValuePair "/" ''
-            root /srv/http/${domain};
-          '')
-        ];
+      services.nginx.virtualHosts.${domain} = {
+        enableACME = true;
+        enableSSL = true;
+        extraConfig = "listen 80;";
+        serverAliases = domains;
+        locations."/".extraConfig = ''
+          root /srv/http/${domain};
+        '';
      };
    };

@ -71,9 +29,13 @@ rec {
    let
      domain = head domains;
    in {
-      krebs.nginx.servers."${domain}" = {
-        server-names = domains;
+      services.nginx.virtualHosts."${domain}" = {
+        enableACME = true;
+        enableSSL = true;
+        serverAliases = domains;
        extraConfig = ''
+          listen 80;
+
          # Add headers to serve security related headers
          add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
          add_header X-Content-Type-Options nosniff;
@ -109,56 +71,53 @@ rec {
          rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
          rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
        '';
-        locations = [
-          (nameValuePair "/robots.txt" ''
-            allow all;
-            log_not_found off;
-            access_log off;
-          '')
-          (nameValuePair "~ ^/(build|tests|config|lib|3rdparty|templates|data)/" ''
-            deny all;
-          '')
+        locations."/robots.txt".extraConfig = ''
+          allow all;
+          log_not_found off;
+          access_log off;
+        '';
+        locations."~ ^/(build|tests|config|lib|3rdparty|templates|data)/".extraConfig = ''
+          deny all;
+        '';

-          (nameValuePair "~ ^/(?:autotest|occ|issue|indie|db_|console)" ''
-            deny all;
-          '')
+        locations."~ ^/(?:autotest|occ|issue|indie|db_|console)".extraConfig =  ''
+          deny all;
+        '';

-          (nameValuePair "/" ''
-            rewrite ^/remote/(.*) /remote.php last;
-            rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
-            try_files $uri $uri/ =404;
-          '')
+        locations."/".extraConfig = ''
+          rewrite ^/remote/(.*) /remote.php last;
+          rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
+          try_files $uri $uri/ =404;
+        '';

-          (nameValuePair "~ \.php(?:$|/)" ''
-            fastcgi_split_path_info ^(.+\.php)(/.+)$;
-            include ${pkgs.nginx}/conf/fastcgi_params;
-            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-            fastcgi_param PATH_INFO $fastcgi_path_info;
-            fastcgi_param HTTPS on;
-            fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
-            fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
-            fastcgi_intercept_errors on;
-          '')
+        locations."~ \.php(?:$|/)".extraConfig =  ''
+          fastcgi_split_path_info ^(.+\.php)(/.+)$;
+          include ${pkgs.nginx}/conf/fastcgi_params;
+          fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+          fastcgi_param PATH_INFO $fastcgi_path_info;
+          fastcgi_param HTTPS on;
+          fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
+          fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
+          fastcgi_intercept_errors on;
+        '';

-          # Adding the cache control header for js and css files
-          # Make sure it is BELOW the location ~ \.php(?:$|/) { block
-          (nameValuePair "~* \.(?:css|js)$" ''
-            add_header Cache-Control "public, max-age=7200";
-            # Add headers to serve security related headers
-            add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
-            add_header X-Content-Type-Options nosniff;
-            add_header X-Frame-Options "SAMEORIGIN";
-            add_header X-XSS-Protection "1; mode=block";
-            add_header X-Robots-Tag none;
-            # Optional: Don't log access to assets
-            access_log off;
-          '')
-
-          # Optional: Don't log access to other assets
-          (nameValuePair "~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$" ''
-            access_log off;
-          '')
-        ];
+        # Adding the cache control header for js and css files
+        # Make sure it is BELOW the location ~ \.php(?:$|/) { block
+        locations."~* \.(?:css|js)$".extraConfig = ''
+          add_header Cache-Control "public, max-age=7200";
+          # Add headers to serve security related headers
+          add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
+          add_header X-Content-Type-Options nosniff;
+          add_header X-Frame-Options "SAMEORIGIN";
+          add_header X-XSS-Protection "1; mode=block";
+          add_header X-Robots-Tag none;
+          # Optional: Don't log access to assets
+          access_log off;
+        '';
+        # Optional: Don't log access to other assets
+        locations."~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$".extraConfig = ''
+          access_log off;
+        '';
      };
      services.phpfpm.poolConfigs."${domain}" = ''
        listen = /srv/http/${domain}/phpfpm.pool
@ -183,9 +142,12 @@ rec {
      domain = head domains;

    in {
-      krebs.nginx.servers."${domain}" = {
-        server-names = domains;
+      services.nginx.virtualHosts."${domain}" = {
+        enableACME = true;
+        enableSSL = true;
+        serverAliases = domains;
        extraConfig = ''
+          listen 80;
          root /srv/http/${domain}/;
          index index.php;
          access_log /tmp/nginx_acc.log;
@ -194,24 +156,19 @@ rec {
          error_page 500 502 503 504 /50x.html;
          client_max_body_size 100m;
        '';
-        locations = [
-          (nameValuePair "/" ''
-            try_files $uri $uri/ /index.php?$args;
-          '')
-          (nameValuePair "~ \.php$" ''
-            fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
-            include ${pkgs.nginx}/conf/fastcgi.conf;
-          '')
-          #(nameValuePair "~ /\\." ''
-          #  deny all;
-          #'')
-          #Directives to send expires headers and turn off 404 error logging.
-          (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" ''
-            access_log off;
-            log_not_found off;
-            expires max;
-          '')
-        ];
+        locations."/".extraConfig = ''
+          try_files $uri $uri/ /index.php?$args;
+        '';
+        locations."~ \.php$".extraConfig = ''
+          fastcgi_pass unix:/srv/http/${domain}/phpfpm.pool;
+          include ${pkgs.nginx}/conf/fastcgi.conf;
+        '';
+        #Directives to send expires headers and turn off 404 error logging.
+        locations."~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$".extraConfig = ''
+          access_log off;
+          log_not_found off;
+          expires max;
+        '';
      };
      services.phpfpm.poolConfigs."${domain}" = ''
        listen = /srv/http/${domain}/phpfpm.pool
--- a/lass/3modules/default.nix
+++ b/lass/3modules/default.nix
@ -8,7 +8,6 @@ _:
    ./umts.nix
    ./urxvtd.nix
    ./usershadow.nix
-    ./wordpress_nginx.nix
    ./xresources.nix
  ];
 }
--- a/lass/3modules/owncloud_nginx.nix
+++ b/lass/3modules/owncloud_nginx.nix
@ -1,210 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-
-let
-  cfg = config.lass.owncloud;
-
-  out = {
-    options.lass.owncloud = api;
-    config = imp;
-  };
-
-  api = mkOption {
-    type = with types; attrsOf (submodule ({ config, ... }: {
-      options = {
-        domain = mkOption {
-          type = str;
-          default = config._module.args.name;
-        };
-        dataDir = mkOption {
-          type = str;
-          default = "${config.folder}/data";
-        };
-        dbUser = mkOption {
-          type = str;
-          default = replaceStrings ["."] ["_"] config.domain;
-        };
-        dbName = mkOption {
-          type = str;
-          default = replaceStrings ["."] ["_"] config.domain;
-        };
-        dbType = mkOption {
-        # TODO: check for valid dbType
-          type = str;
-          default = "mysql";
-        };
-        folder = mkOption {
-          type = str;
-          default = "/srv/http/${config.domain}";
-        };
-        auto = mkOption {
-          type = bool;
-          default = false;
-        };
-        instanceid = mkOption {
-          type = str;
-        };
-      };
-    }));
-    default = {};
-  };
-
-  user = config.services.nginx.user;
-  group = config.services.nginx.group;
-
-  imp = {
-    krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, ... }: {
-      server-names = [
-        "${domain}"
-        "www.${domain}"
-      ];
-      locations = [
-        (nameValuePair "/" ''
-          # The following 2 rules are only needed with webfinger
-          rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
-          rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
-
-          rewrite ^/.well-known/carddav /remote.php/carddav/ redirect;
-          rewrite ^/.well-known/caldav /remote.php/caldav/ redirect;
-
-          rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;
-
-          try_files $uri $uri/ /index.php;
-        '')
-        (nameValuePair "~ \.php$" ''
-          fastcgi_split_path_info ^(.+\.php)(/.+)$;
-          include ${pkgs.nginx}/conf/fastcgi.conf;
-          fastcgi_param PATH_INFO $fastcgi_path_info;
-          fastcgi_pass unix:${folder}/phpfpm.pool;
-        '')
-        (nameValuePair "~ /\\." ''
-          deny all;
-        '')
-      ];
-      extraConfig = ''
-        root ${folder}/;
-        #index index.php;
-        access_log /tmp/nginx_acc.log;
-        error_log /tmp/nginx_err.log;
-
-        # set max upload size
-        client_max_body_size 10G;
-        fastcgi_buffers 64 4K;
-
-        rewrite ^/caldav(.*)$ /remote.php/caldav$1 redirect;
-        rewrite ^/carddav(.*)$ /remote.php/carddav$1 redirect;
-        rewrite ^/webdav(.*)$ /remote.php/webdav$1 redirect;
-
-        error_page 403 /core/templates/403.php;
-        error_page 404 /core/templates/404.php;
-      '';
-    });
-    services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
-      listen = ${folder}/phpfpm.pool
-      user = ${user}
-      group = ${group}
-      pm = dynamic
-      pm.max_children = 5
-      pm.start_servers = 2
-      pm.min_spare_servers = 1
-      pm.max_spare_servers = 3
-      listen.owner = ${user}
-      listen.group = ${group}
-      php_admin_value[error_log] = 'stderr'
-      php_admin_flag[log_errors] = on
-      catch_workers_output = yes
-    '');
-    #systemd.services = flip mapAttrs' cfg (name: { domain, folder, dbName, dbUser, dbType, dataDir, instanceid, ... }: {
-    #  name = "owncloudInit-${name}";
-    #  value = {
-    #    path = [
-    #      pkgs.mysql
-    #      pkgs.su
-    #      pkgs.gawk
-    #      pkgs.jq
-    #    ];
-    #    requiredBy = [ "nginx.service" ];
-    #    serviceConfig = let
-    #      php.define = name: value:
-    #        "define(${php.newdoc name}, ${php.newdoc value});";
-    #      php.toString = x:
-    #        "'${x}'";
-    #      php.newdoc = s:
-    #        let b = "EOF${builtins.hashString "sha256" s}"; in
-    #        ''<<<'${b}'
-    #        ${s}
-    #        ${b}
-    #        '';
-    #    in {
-    #      Type = "oneshot";
-    #      ExecStart = pkgs.writeScript "wordpressInit" ''
-    #        #!/bin/sh
-    #        set -euf
-    #        oc_secrets=${shell.escape "${toString <secrets>}/${domain}/oc-secrets"}
-    #        db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"})
-    #        get_secret() {
-    #          echo "'$1' => $(jq -r ."$1" "$oc_secrets" | to_php_string),"
-    #        }
-    #        to_php_string() {
-    #          echo "base64_decode('$(base64)')"
-    #        }
-    #        {
-    #          cat ${toString <secrets/mysql_rootPassword>}
-    #          password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))})
-    #          # TODO passwordhash=$(su nobody_oc -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));")
-    #          # TODO as package pkgs.sqlHashPassword
-    #          # TODO not using mysql
-    #          # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES';
-    #          passwordhash=$(su nobody_oc -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');")
-    #          user=${shell.escape dbUser}@localhost
-    #          database=${shell.escape dbName}
-    #          cat << EOF
-    #            CREATE DATABASE IF NOT EXISTS $database;
-    #            GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash';
-    #            GRANT ALL PRIVILEGES ON $database.* TO $user;
-    #            FLUSH PRIVILEGES;
-    #        EOF
-    #        } | mysql -u root -p
-    #        # TODO nix2php for wp-config.php
-    #        mkdir -p ${folder}/config
-    #        cat > ${folder}/config/config.php << EOF
-    #        <?php
-    #        \$CONFIG = array (
-    #          'dbhost' => 'localhost',
-    #          'dbtableprefix' => 'oc_',
-    #          'dbpassword' => '$db_password',
-    #          'installed' => 'true',
-    #          'trusted_domains' =>
-    #          array (
-    #            0 => '${domain}',
-    #          ),
-    #          'overwrite.cli.url' => 'http://${domain}',
-
-    #        ${concatStringsSep "\n" (mapAttrsToList (name: value:
-    #          "'${name}' => $(printf '%s' ${shell.escape value} | to_php_string),"
-    #        ) {
-    #          instanceid = instanceid;
-    #          datadirectory = dataDir;
-    #          dbtype = dbType;
-    #          dbname = dbName;
-    #          dbuser = dbUser;
-    #        })}
-
-    #        ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [
-    #          "secret"
-    #          "passwordsalt"
-    #        ]}
-    #        );
-    #        EOF
-    #      '';
-    #    };
-    #  };
-    #});
-    users.users.nobody_oc = {
-      uid = genid "nobody_oc";
-      useDefaultShell = true;
-    };
-  };
-
-in out
--- a/lass/3modules/wordpress_nginx.nix
+++ b/lass/3modules/wordpress_nginx.nix
@ -1,265 +0,0 @@
-{ config, lib, pkgs, ... }:
-
-with import <stockholm/lib>;
-
-let
-  cfg = config.lass.wordpress;
-
-  out = {
-    options.lass.wordpress = api;
-    config = imp;
-  };
-
-  api = mkOption {
-    type = with types; attrsOf (submodule ({ config, ... }: {
-      options = {
-        domain = mkOption {
-          type = str;
-          default = config._module.args.name;
-        };
-        dbUser = mkOption {
-          type = str;
-          default = replaceStrings ["."] ["_"] config.domain;
-        };
-        dbName = mkOption {
-          type = str;
-          default = replaceStrings ["."] ["_"] config.domain;
-        };
-        folder = mkOption {
-          type = str;
-          default = "/srv/http/${config.domain}";
-        };
-        auto = mkOption {
-          type = bool;
-          default = false;
-        };
-        charset = mkOption {
-          type = str;
-          default = "utf8mb4";
-        };
-        collate = mkOption {
-          type = str;
-          default = "";
-        };
-        debug = mkOption {
-          type = bool;
-          default = false;
-        };
-        multiSite = mkOption {
-          type = attrsOf str;
-          default = {};
-          example = {
-            "0" = "bla.testsite.de";
-            "1" = "test.testsite.de";
-          };
-        };
-        ssl = mkOption {
-          type = with types; submodule ({
-            options = {
-              enable = mkEnableOption "ssl";
-              certificate = mkOption {
-                type = str;
-              };
-              certificate_key = mkOption {
-                type = str;
-              };
-              ciphers = mkOption {
-                type = str;
-                default = "AES128+EECDH:AES128+EDH";
-              };
-            };
-          });
-        };
-      };
-    }));
-    default = {};
-  };
-
-  user = config.services.nginx.user;
-  group = config.services.nginx.group;
-
-  imp = {
-    #services.nginx.appendConfig = mkIf (cfg.multiSite != {}) ''
-    #  map $http_host $blogid {
-    #  ${concatStringsSep "\n" (mapAttrsToList (n: v: indent "v n;") multiSite)}
-    #  }
-    #'';
-
-    krebs.nginx.servers = flip mapAttrs cfg ( name: { domain, folder, multiSite, ssl, ... }: {
-      server-names = [
-        "${domain}"
-        "www.${domain}"
-      ];
-        #(mkIf (multiSite != {})
-        #)
-      locations = (if (multiSite != {}) then
-        [
-          (nameValuePair "~ ^/files/(.*)$" ''
-            try_files /wp-content/blogs.dir/$blogid/$uri /wp-includes/ms-files.php?file=$1 ;
-          '')
-          (nameValuePair "^~ /blogs.dir" ''
-            internal;
-            alias ${folder}/wp-content/blogs.dir ;
-            access_log off; log_not_found off; expires max;
-          '')
-        ]
-      else
-        []
-      ) ++
-      [
-        (nameValuePair "/" ''
-          try_files $uri $uri/ /index.php?$args;
-        '')
-        (nameValuePair "~ \.php$" ''
-          fastcgi_pass unix:${folder}/phpfpm.pool;
-          include ${pkgs.nginx}/conf/fastcgi.conf;
-        '')
-        (nameValuePair "~ /\\." ''
-          deny all;
-        '')
-        #Directives to send expires headers and turn off 404 error logging.
-        (nameValuePair "~* ^.+\.(xml|ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$" ''
-          access_log off;
-          log_not_found off;
-          expires max;
-        '')
-      ];
-      extraConfig = ''
-        root ${folder}/;
-        index index.php;
-        access_log /tmp/nginx_acc.log;
-        error_log /tmp/nginx_err.log;
-        error_page 404 /404.html;
-        error_page 500 502 503 504 /50x.html;
-        ${if ssl.enable then ''
-          ssl_certificate ${ssl.certificate};
-          ssl_certificate_key ${ssl.certificate_key};
-        '' else ""}
-
-      '';
-      listen = (if ssl.enable then
-          [ "80" "443 ssl" ]
-        else
-          "80"
-      );
-    });
-    services.phpfpm.poolConfigs = flip mapAttrs cfg (name: { domain, folder, ... }: ''
-      listen = ${folder}/phpfpm.pool
-      user = ${user}
-      group = ${group}
-      pm = dynamic
-      pm.max_children = 5
-      pm.start_servers = 2
-      pm.min_spare_servers = 1
-      pm.max_spare_servers = 3
-      listen.owner = ${user}
-      listen.group = ${group}
-      php_admin_value[error_log] = 'stderr'
-      php_admin_flag[log_errors] = on
-      catch_workers_output = yes
-    '');
-    systemd.services = flip mapAttrs' cfg (name: { domain, folder, charset, collate, dbName, dbUser, debug, multiSite, ... }: {
-      name = "wordpressInit-${name}";
-      value = {
-        path = [
-          pkgs.mysql
-          pkgs.su
-          pkgs.gawk
-          pkgs.jq
-        ];
-        requiredBy = [ "nginx.service" ];
-        serviceConfig = let
-          php.define = name: value:
-            "define(${php.newdoc name}, ${php.newdoc value});";
-          php.toString = x:
-            "'${x}'";
-          php.newdoc = s:
-            let b = "EOF${builtins.hashString "sha256" s}"; in
-            ''<<<'${b}'
-            ${s}
-            ${b}
-            '';
-        in {
-          Type = "oneshot";
-          ExecStart = pkgs.writeScript "wordpressInit" ''
-            #!/bin/sh
-            set -euf
-            wp_secrets=${shell.escape "${toString <secrets>}/${domain}/wp-secrets"}
-            db_password=$(cat ${shell.escape "${toString <secrets>}/${domain}/sql-db-pw"})
-            get_secret() {
-              echo "define('$1', $(jq -r ."$1" "$wp_secrets" | to_php_string));"
-            }
-            to_php_string() {
-              echo "base64_decode('$(base64)')"
-            }
-            {
-              cat ${toString <secrets/mysql_rootPassword>}
-              password=$(cat ${shell.escape (toString (<secrets/mysql_rootPassword>))})
-              # TODO passwordhash=$(su nobody2 -c mysql <<< "SELECT PASSWORD($(toSqlString <<< "$password"));")
-              # TODO as package pkgs.sqlHashPassword
-              # TODO not using mysql
-              # SET SESSION sql_mode = 'NO_BACKSLASH_ESCAPES';
-              passwordhash=$(su nobody2 -c 'mysql -u nobody --silent' <<< "SELECT PASSWORD('$db_password');")
-              user=${shell.escape dbUser}@localhost
-              database=${shell.escape dbName}
-              cat << EOF
-                CREATE DATABASE IF NOT EXISTS $database;
-                GRANT USAGE ON *.* TO $user IDENTIFIED BY PASSWORD '$passwordhash';
-                GRANT ALL PRIVILEGES ON $database.* TO $user;
-                FLUSH PRIVILEGES;
-            EOF
-            } | mysql -u root -p
-            # TODO nix2php for wp-config.php
-            cat > ${folder}/wp-config.php << EOF
-            <?php
-            define('DB_PASSWORD', '$db_password');
-            define('DB_HOST', 'localhost');
-
-            ${concatStringsSep "\n" (mapAttrsToList (name: value:
-              "define('${name}', $(printf '%s' ${shell.escape value} | to_php_string));"
-            ) {
-              DB_NAME = dbName;
-              DB_USER = dbUser;
-              DB_CHARSET = charset;
-              DB_COLLATE = collate;
-            })}
-
-            ${concatMapStringsSep "\n" (key: "$(get_secret ${shell.escape key})") [
-              "AUTH_KEY"
-              "SECURE_AUTH_KEY"
-              "LOGGED_IN_KEY"
-              "NONCE_KEY"
-              "AUTH_SALT"
-              "SECURE_AUTH_SALT"
-              "LOGGED_IN_SALT"
-              "NONCE_SALT"
-            ]}
-
-            \$table_prefix = 'wp_';
-
-            ${if (multiSite != {}) then
-              "define('WP_ALLOW_MULTISITE', true);"
-            else
-              ""
-            }
-
-            define('WP_DEBUG', ${toJSON debug});
-            if ( !defined('ABSPATH') )
-              define('ABSPATH', dirname(__FILE__) . '/');
-
-            /** Sets up WordPress vars and included files. */
-            require_once(ABSPATH . 'wp-settings.php');
-            EOF
-          '';
-        };
-      };
-    });
-    users.users.nobody2 = mkDefault {
-      uid = mkDefault (genid "nobody2");
-      useDefaultShell = mkDefault true;
-    };
-  };
-
-  indent = replaceChars ["\n"] ["\n  "];
-
-in out