Merge remote-tracking branch 'lass/master' into 22.05

4 files changed, 137 insertions, 41 deletions

diff --git a/lass/2configs/websites/domsen.nix b/lass/2configs/websites/domsen.nix
index 3f055e370..fe4d78a3b 100644
--- a/lass/2configs/websites/domsen.nix
+++ b/lass/2configs/websites/domsen.nix
@@ -29,6 +29,8 @@ in {
     (servePage [ "apanowicz.de" "www.apanowicz.de" ])
     (servePage [ "reich-gebaeudereinigung.de" "www.reich-gebaeudereinigung.de" ])
     (servePage [ "illustra.de" "www.illustra.de" ])
+    (servePage [ "nirwanabluete.de" "www.nirwanabluete.de" ])
+    (servePage [ "familienrat-hamburg.de" "www.familienrat-hamburg.de" ])
     (servePage [
       "freemonkey.art"
       "www.freemonkey.art"
@@ -36,20 +38,20 @@ in {
     (serveOwncloud [ "o.ubikmedia.de" ])
     (serveWordpress [
       "ubikmedia.de"
-      "nirwanabluete.de"
       "ubikmedia.eu"
       "youthtube.xyz"
       "joemisch.com"
       "weirdwednesday.de"
       "jarugadesign.de"
+      "beesmooth.ch"
 
-      "www.nirwanabluete.de"
       "www.ubikmedia.eu"
       "www.youthtube.xyz"
       "www.ubikmedia.de"
       "www.joemisch.com"
       "www.weirdwednesday.de"
       "www.jarugadesign.de"
+      "www.beesmooth.ch"
 
       "aldona2.ubikmedia.de"
       "cinevita.ubikmedia.de"
@@ -64,9 +66,13 @@ in {
       "jarugadesign.ubikmedia.de"
       "crypto4art.ubikmedia.de"
       "jarugadesign.ubikmedia.de"
+      "beesmooth.ubikmedia.de"
     ])
   ];
 
+  # https://github.com/nextcloud/server/issues/25436
+  services.mysql.settings.mysqld.innodb_read_only_compressed = 0;
+
   services.mysql.ensureDatabases = [ "ubikmedia_de" "o_ubikmedia_de" ];
   services.mysql.ensureUsers = [
     { ensurePermissions = { "ubikmedia_de.*" = "ALL"; }; name = "nginx"; }
@@ -98,7 +104,7 @@ in {
   services.nextcloud = {
     enable = true;
     hostName = "o.xanf.org";
-    package = pkgs.nextcloud21;
+    package = pkgs.nextcloud23;
     config = {
       adminpassFile = "/run/nextcloud.pw";
       overwriteProtocol = "https";
@@ -159,6 +165,7 @@ in {
       { from = "ubik@ubikmedia.eu"; to = "domsen, jms, ms"; }
       { from = "kontakt@alewis.de"; to ="klabusterbeere"; }
       { from = "hallo@jarugadesign.de"; to ="kasia"; }
+      { from = "noreply@beeshmooth.ch"; to ="besmooth@gmx.ch"; }
 
       { from = "testuser@lassul.us"; to = "testuser"; }
       { from = "testuser@ubikmedia.eu"; to = "testuser"; }
@@ -170,10 +177,12 @@ in {
       "apanowicz.de"
       "alewis.de"
       "jarugadesign.de"
+      "beesmooth.ch"
     ];
     dkim = [
       { domain = "ubikmedia.eu"; }
       { domain = "apanowicz.de"; }
+      { domain = "beesmooth.ch"; }
     ];
     ssl_cert = "/var/lib/acme/lassul.us/fullchain.pem";
     ssl_key = "/var/lib/acme/lassul.us/key.pem";
@@ -332,6 +341,27 @@ in {
     isNormalUser = true;
   };
 
+  users.users.avada = {
+    uid = genid_uint31 "avada";
+    home = "/home/avada";
+    useDefaultShell = true;
+    createHome = true;
+    isNormalUser = true;
+  };
+
+  users.users.familienrat = {
+    uid = genid_uint31 "familienrat";
+    home = "/home/familienrat";
+    useDefaultShell = true;
+    createHome = true;
+    isNormalUser = true;
+  };
+  krebs.acl."/srv/http/familienrat-hamburg.de"."u:familienrat:rwX" = {};
+  krebs.acl."/srv/http"."u:familienrat:X" = {
+    default = false;
+    recursive = false;
+  };
+
   users.groups.xanf = {};
 
   krebs.on-failure.plans.restic-backups-domsen = {
@@ -372,18 +402,14 @@ in {
     ${pkgs.coreutils}/bin/chmod 750 /backups
   '';
 
-  krebs.permown = {
-    "/srv/http" = {
-      group = "syncthing";
-      owner = "nginx";
-      umask = "0007";
-    };
-    "/home/xanf/XANF_TEAM" = {
-      owner = "XANF_TEAM";
-      group = "xanf";
-      umask = "0007";
-    };
+  # takes too long!!
+  # krebs.acl."/srv/http"."u:syncthing:rwX" = {};
+  # krebs.acl."/srv/http"."u:nginx:rwX" = {};
+  # krebs.acl."/srv/http/ubikmedia.de"."u:avada:rwX" = {};
+  krebs.acl."/home/xanf/XANF_TEAM"."g:xanf:rwX" = {};
+  krebs.acl."/home/xanf"."g:xanf:X" = {
+    default = false;
+    recursive = false;
   };
-
 }
 
diff --git a/lass/2configs/websites/lassulus.nix b/lass/2configs/websites/lassulus.nix
index 5bf8de013..411234b82 100644
--- a/lass/2configs/websites/lassulus.nix
+++ b/lass/2configs/websites/lassulus.nix
@@ -10,6 +10,7 @@ in {
   imports = [
     ./default.nix
     ../git.nix
+    ./ref.ptkk.de
   ];
 
   security.acme = {
@@ -20,11 +21,8 @@ in {
     };
   };
 
-  krebs.tinc_graphs.enable = true;
-
   users.groups.lasscert.members = [
     "dovecot2"
-    "ejabberd"
     "exim"
     "nginx"
   ];
@@ -48,10 +46,6 @@ in {
     locations."= /wireguard-key".extraConfig = ''
       alias ${pkgs.writeText "prism.wg" config.krebs.hosts.prism.nets.wiregrill.wireguard.pubkey};
     '';
-    locations."/tinc/".extraConfig = ''
-      index index.html;
-      alias ${config.krebs.tinc_graphs.workingDir}/external/;
-    '';
     locations."= /krebspage".extraConfig = ''
       default_type "text/html";
       alias ${pkgs.krebspage}/index.html;
@@ -64,14 +58,14 @@ in {
       alias ${initscript}/bin/init;
     '';
     locations."= /blue.pub".extraConfig = ''
-      alias ${pkgs.writeText "pub" config.krebs.users.lass.pubkey};
+      alias ${pkgs.writeText "pub" config.krebs.users.lass-blue.pubkey};
     '';
-    locations."= /mors.pub".extraConfig = ''
-      alias ${pkgs.writeText "pub" config.krebs.users.lass-mors.pubkey};
-    '';
-    locations."= /yubi.pub".extraConfig = ''
+    locations."= /ssh.pub".extraConfig = ''
       alias ${pkgs.writeText "pub" config.krebs.users.lass-yubikey.pubkey};
     '';
+    locations."= /gpg.pub".extraConfig = ''
+      alias ${pkgs.writeText "pub" config.krebs.users.lass-yubikey.pgp.pubkeys.default};
+    '';
   };
 
   security.acme.certs."cgit.lassul.us" = {
@@ -90,19 +84,5 @@ in {
       root /var/lib/acme/acme-challenge;
     '';
   };
-
-  users.users.blog = {
-    uid = genid_uint31 "blog";
-    group = "nginx";
-    description = "lassul.us blog deployment";
-    home = "/srv/http/lassul.us";
-    useDefaultShell = true;
-    createHome = true;
-    isSystemUser = true;
-    openssh.authorizedKeys.keys = with config.krebs.users; [
-      lass.pubkey
-      lass-mors.pubkey
-    ];
-  };
 }
 
diff --git a/lass/2configs/websites/ref.ptkk.de/default.nix b/lass/2configs/websites/ref.ptkk.de/default.nix
new file mode 100644
index 000000000..14ce58b8e
--- /dev/null
+++ b/lass/2configs/websites/ref.ptkk.de/default.nix
@@ -0,0 +1,89 @@
+{ config, lib, pkgs, ... }:
+{
+  services.nginx.virtualHosts."ref.ptkk.de" = {
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://localhost:4626";
+      extraConfig = ''
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+        proxy_set_header X-Forwarded-Port $server_port;
+        proxy_set_header X-Forwarded-Host $host;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_cache_bypass $http_upgrade;
+      '';
+    };
+    locations."/static/" = {
+      alias = "/var/lib/ref.ptkk.de/static/";
+    };
+    forceSSL = true;
+  };
+  systemd.services."ref.ptkk.de" = {
+    wantedBy = [ "multi-user.target" ];
+    environment = {
+      PRODUCTION = "yip";
+      DATA_DIR = "/var/lib/ref.ptkk.de/data";
+      PORT = "4626";
+      STATIC_ROOT = "/var/lib/ref.ptkk.de/static";
+    };
+    path = with pkgs; [
+      git
+      gnutar
+      gzip
+      nix
+    ];
+    serviceConfig = {
+      ExecStartPre = [
+        "${pkgs.coreutils}/bin/mkdir -p /var/lib/ref.ptkk.de/data"
+        "${pkgs.coreutils}/bin/mkdir -p /var/lib/ref.ptkk.de/code"
+        "${pkgs.coreutils}/bin/mkdir -p /var/lib/ref.ptkk.de/static"
+      ];
+      ExecStart = pkgs.writers.writeDash "nixify" ''
+        cd code
+        if test -e shell.nix; then
+          ${pkgs.nix}/bin/nix-shell -I /var/src --run serve
+        else
+          echo 'no shell.nix, bailing out'
+          exit 0
+        fi
+      '';
+      LoadCredential = [
+        "django-secret.key:${toString <secrets>}/ref.ptkk.de-django.key"
+      ];
+      User = "ref.ptkk.de";
+      WorkingDirectory = "/var/lib/ref.ptkk.de";
+      StateDirectory = "ref.ptkk.de";
+      Restart = "always";
+      RestartSec = "100s";
+    };
+  };
+  systemd.services."ref.ptkk.de-restarter" = {
+    serviceConfig = {
+      Type = "oneshot";
+      ExecStart = "${pkgs.systemd}/bin/systemctl restart ref.ptkk.de.service";
+    };
+  };
+  systemd.paths."ref.ptkk.de-restarter" = {
+    wantedBy = [ "multi-user.target" ];
+    pathConfig.PathChanged = [
+      "/var/lib/ref.ptkk.de/code"
+      "/var/src/nixpkgs"
+    ];
+  };
+
+  users.users."ref.ptkk.de" = {
+    isSystemUser = true;
+    uid = pkgs.stockholm.lib.genid_uint31 "ref.ptkk.de";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIF6fu6LtyRdk++qIBpP0BdZQHSTqzNNlvp7ML2Dv0IxD CI@github.com"
+      config.krebs.users.lass.pubkey
+    ];
+    group = "nginx";
+    home = "/var/lib/ref.ptkk.de";
+    useDefaultShell = true;
+  };
+}
diff --git a/lass/2configs/websites/util.nix b/lass/2configs/websites/util.nix
index b6765037c..22b1669b0 100644
--- a/lass/2configs/websites/util.nix
+++ b/lass/2configs/websites/util.nix
@@ -174,6 +174,7 @@ rec {
       services.phpfpm.pools."${domain}" = {
         user = "nginx";
         group = "nginx";
+        phpPackage = pkgs.php74;
         extraConfig = ''
           listen = /srv/http/${domain}/phpfpm.pool
           pm = dynamic