add guest agent

This reverts commit e9af41cf54, reversing
changes made to 2d0786d558.

.gitmodules

@@ -0,0 +1,3 @@
+[submodule "module/unciv"]
+	path = module/unciv
+	url = gitea@gitea.stubbe.rocks:nixos-config/unciv.git

boot.nix

@@ -4,7 +4,7 @@
     # Use the GRUB 2 boot loader.
     boot.loader.grub = {
         enable = true;
-        version = 2;
+#        version = 2;
         device = "/dev/sda";
     };
 }

configuration.nix

@@ -14,13 +14,19 @@
         ./programs/installed.nix
         ./services/enabled.nix
         ./users.nix
-        ./module/news2kindle/news2kindle.nix
+#        ./module/news2kindle/news2kindle.nix
 #        ./module/etherpad/etherpad.nix
     ];
 
+   services.qemuGuest.enable = true;
+
     nixpkgs.config.allowUnfree = true;
     nix.gc.automatic = true;
     nix.gc.dates = "03:15";
+    nix.gc.options = "--delete-older-than 15d";
+    
+    nix.settings.experimental-features = "nix-command flakes";
+
 
     # This value determines the NixOS release with which your system is to be
     # compatible, in order to avoid breaking some software such as database
@@ -28,6 +34,18 @@
     # should.
     system = {
         stateVersion = "17.09"; # Did you read the comment?
-        autoUpgrade.enable = true;
+        autoUpgrade = {
+		enable = true;
+		allowReboot = true;
+		flags = [
+			"--max-jobs"
+			"1"
+			"--builders"
+			"''"
+		];
 	};
+    };
+
+    security.acme.defaults.email = "stubbfel@posteo.de";
+    security.acme.acceptTerms = true;
 }

hardware-configuration.nix

@@ -19,5 +19,5 @@
 
   swapDevices = [ ];
 
-  nix.maxJobs = lib.mkDefault 6;
+  nix.settings.max-jobs = lib.mkDefault 6;
 }

i18n.nix

@@ -2,10 +2,8 @@
 
 {
     # Select internationalisation properties.
-    i18n = {
-        consoleKeyMap = "de";
-        defaultLocale = "de_DE.UTF-8";
-    };
+    i18n.defaultLocale = "de_DE.UTF-8";    
+    console.keyMap= "de";	
 
     # Set your time zone.
     time.timeZone = "Europe/Amsterdam";

module/news2kindle/news2kindle.nix

@@ -59,11 +59,13 @@ jobs =  concatMap(recipient: concatMap(cronjob:
     ["${cronjob.cronExpression} root bash ${script}"]) recipient.cronJobs) reps;
 
 
-odfpyNoTest = pkgs.python2Packages.odfpy.overrideAttrs (oldAttrs: rec {
+odfpyNoTest = pkgs.python38Packages.odfpy.overrideAttrs (oldAttrs: rec {
     doInstallCheck = false;
 });
 
-
+apswNoTest = pkgs.python38Packages.apsw.overrideAttrs (oldAttrs: rec {
+    doInstallCheck = false;
+});
 
 calibreWithRecipes = pkgs.calibre.overrideAttrs (oldAttrs: rec {
     installPhase = ''
@@ -71,10 +73,10 @@ calibreWithRecipes = pkgs.calibre.overrideAttrs (oldAttrs: rec {
     cp -ravf recipes $out/var/news2kindle
     ''+ oldAttrs.installPhase ;
 
-    buildInputs = (remove pkgs.python2Packages.odfpy oldAttrs.buildInputs) ++ [odfpyNoTest];
+    buildInputs = (remove pkgs.python38Packages.apsw  (remove pkgs.python38Packages.odfpy oldAttrs.buildInputs)) ++ [odfpyNoTest apswNoTest pkgs.python38Packages.feedparser pkgs.python38Packages.pyqt5];
 
 #    patches = oldAttrs.patches ++  [./calibre-disable_plugins.patch];
-    patches = [./calibre-disable_plugins.patch];
+#    patches = [./calibre-disable_plugins.patch];
 
 });
 
@@ -163,7 +165,12 @@ in
   ###### implementation
 
   config =  mkIf cfg.enable{
-      environment.systemPackages = [pkgs.python27Packages.pyqt5 pkgs.python36Packages.pyqt5 pkgs.mailsend calibreWithRecipes];
+      environment.systemPackages = [
+	#	pkgs.python27Packages.pyqt5
+	#	pkgs.python36Packages.pyqt5
+		pkgs.mailsend
+		calibreWithRecipes
+	];
       services.cron.enable = true;
       services.cron.systemCronJobs = jobs;
   };

programs/installed.nix

@@ -1,8 +1,12 @@
 { config, pkgs, ... }:
 
+let 
+    unstable = import <nixos-unstable> { config = {  allowUnfree = true; }; };
+in
+
 {
     environment.systemPackages = with pkgs; [
-        wget curl vim nano zsh fzf tmux git
+        wget curl vim nano zsh fzf tmux git eza progress tldr htop unstable.docker-compose pkgs.php83 steamcmd helix
     ];
 
     imports =

programs/zsh.nix

@@ -1,19 +1,11 @@
 { config, pkgs, ... }:
 
 {
-    environment.systemPackages = with pkgs; [
-        zsh-git-prompt
-    ];
-
-
     programs.zsh = {
         enable = true;
-        enableAutosuggestions = true;
+        autosuggestions.enable = true;
         enableCompletion = true;
         syntaxHighlighting.enable = true;
-        interactiveShellInit = ''
-            source ${pkgs.zsh-git-prompt}/share/zsh-git-prompt/zshrc.sh
-            '';
     };
     
   

services/7dtd.nix

@@ -0,0 +1,42 @@
+{ config, pkgs, ... }:
+
+let
+
+ runEnv = (pkgs.buildFHSUserEnv {
+    name = "7dtd-env";
+    targetPkgs = pkgs: (with pkgs;
+    [
+    ]);
+    runScript = "bash startserver.sh -configfile=serverconfig.xml";
+  });
+
+in
+{
+
+  networking.firewall.allowedTCPPorts = [26900];
+  networking.firewall.allowedUDPPorts = [26900 26901 26902];
+#7DaysToDie.stubbe.rocks
+
+#  services.nginx.virtualHosts."7daystodie.stubbe.rocks" = {
+#        enableACME = true;
+#        forceSSL = false;
+#        locations."/".proxyPass = "http://localhost:8085";
+#  };
+
+  systemd.services.sdtd = {
+    description = "7dtd";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "simple";
+      User = "sshuser";
+      Group = "users";
+      WorkingDirectory = "/home/sshuser/SteamCMD7_Days_to_Die_server";
+      ExecStart = "${runEnv}/bin/7dtd-env";
+      Restart = "always";
+    };
+  };
+
+
+}
+

services/docker.nix

@@ -0,0 +1,8 @@
+{ config, pkgs, ... }:
+
+{
+	virtualisation.docker = {
+		enable = true;
+		enableOnBoot = true;
+	};
+}

services/enabled.nix

@@ -3,14 +3,27 @@
 {
     imports =
     [
+	    #./7dtd.nix
+#        ./vaheim.nix
         ./sshd.nix
         ./teamspeak.nix
         ./nginx.nix
         #./gitlab.nix
         ./nextcloud.nix
-        ./news2kindle.nix
+#        ./news2kindle.nix
         ./resilio.nix
-        ./sks.nix
+#        ./sks.nix
         ./gitea.nix
+#        ./nexus.nix
+#        ./wireguard.nix
+        #./mqtt.nix
+#        ./jitsi.nix
+	./docker.nix
+	./mailcow.nix
+#        ./unciv.nix
+#        ./hydra.nix
+	./postgres.nix
+	./xkcd-password.nix 
+	./morss.nix
     ];
 }

services/gitea.nix

@@ -1,29 +1,26 @@
 { config, pkgs, ... }:
 
-#let
-# pkgs = import <nixos-unstable> {};
-#in 
 {
-#  environment.systemPackages = [ (import <nixos-unstable> {}).gitea ];
   services.nginx.virtualHosts."gitea.stubbe.rocks" = {
         enableACME = true;
         forceSSL = true;
 	      locations."/".proxyPass = "http://localhost:3000";
   };
 
-nixpkgs.config.packageOverrides = pkgs: {
-     gitea = (import <nixos-unstable> {}).gitea;
-  };
-
   users.users.gitea.shell = pkgs.zsh;
-  imports = [
-      <nixos-unstable/nixos/modules/services/misc/gitea.nix>
-    ];
-
   services.postgresql.enable = true;
   services.gitea = {
         enable = true;
-	useWizard = true;
-   };
+	repositoryRoot = "/var/lib/gitea/gitea-repositories";
+	lfs.enable = true;
+        database.type = "postgres";
+	settings.service.DISABLE_REGISTRATION=true;
+	settings.server.ROOT_URL="https://gitea.stubbe.rocks";
 
+#	package = pkgs.gitea.override rec {
+#		buildGoModule = args: pkgs.buildGoModule ( args // {
+#			tags = args.tags ++ [ "bindata" ];
+#  		}); 
+#	};
+  };
 }

services/hydra.nix

@@ -0,0 +1,40 @@
+{ config, pkgs, ... }:
+
+let
+  lAddress = "127.0.0.1";
+  lPort = 3001;
+in
+
+{  
+  services.nginx.virtualHosts."hydra.stubbe.rocks" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "http://${lAddress}:${toString lPort}";
+  };
+
+  services.hydra = {
+    enable = true;
+    port = lPort;
+    hydraURL = "hydra.localhost";
+    notificationSender = "notitification@hydra.localhost";
+    extraConfig = ''
+<dynamicruncommand>
+  enable = 1
+</dynamicruncommand>
+    '';
+  };
+
+  services.postgresql = {
+    identMap =
+      ''
+        hydra-users hydra hydra
+        hydra-users hydra-queue-runner hydra
+        hydra-users hydra-www hydra
+        hydra-users root postgres
+        hydra-users postgres postgres
+      '';
+  };
+
+users.users.hydra-queue-runner.extraGroups = [ "docker" ];
+
+}

services/jitsi.nix

@@ -0,0 +1,12 @@
+{ config, pkgs, ... }:
+
+{
+
+  services.jitsi-meet = {
+        enable = true;
+        hostName = "jitsi.stubbe.rocks";
+        config = {
+          defaultLang = "de";
+        };
+  };
+}

services/mailcow.nix

@@ -0,0 +1,64 @@
+{ config, pkgs, ... }:
+
+let 
+    unstable = import <nixos-unstable> { config = {  allowUnfree = true; }; };
+in
+
+{
+  services.nginx.virtualHosts."mailcow.stubbe.rocks" = {
+      enableACME = true;
+      forceSSL = true;
+      default = true;
+      locations."/".proxyPass = "http://localhost:7080";
+      serverName = "v22017115146555724.happysrv.de";
+      serverAliases = [
+        "testmail.stubbe.rocks"
+        "mailcow.stubbe.rocks"
+        "stubbe.rocks"
+#        "autodiscover.testmail.stubbe.rocks"
+#        "autoconfig.testmail.stubbe.rocks"  
+#        "autodiscover.mailcow.stubbe.rocks"
+#        "autoconfig.mailcow.stubbe.rocks"      
+      ];
+  };
+
+security.acme.certs."v22017115146555724.happysrv.de".postRun = ''
+	cp fullchain.pem /opt/mailcow-dockerized/data/assets/ssl/cert.pem  
+	cp key.pem /opt/mailcow-dockerized/data/assets/ssl/key.pem  
+	cp chain.pem /opt/mailcow-dockerized/data/assets/ssl/chain.pem  
+'';
+
+#services.nginx.virtualHosts."webmail.stubbe.rocks" = {
+#       enableACME = true;
+#       forceSSL = true;
+#       locations."/".proxyPass = "http://localhost:7080/SOGo/";
+#};
+
+  systemd = {
+    timers.mailcow-update = {
+      wantedBy = [ "timers.target" ];
+      partOf = [ "mailcow-update.service" ];
+      timerConfig.OnCalendar = "weekly";
+    };
+    services.mailcow-update = {
+      path = [
+	pkgs.bash        
+        pkgs.git
+        pkgs.curl
+        pkgs.gawk
+        pkgs.docker
+        unstable.docker-compose
+        pkgs.which
+        pkgs.coreutils-full
+	pkgs.unixtools.ping
+	pkgs.iptables
+	pkgs.openssl
+      ];
+      serviceConfig.Type = "oneshot";
+      script = ''
+	cd /opt/mailcow-dockerized
+	./update.sh --no-update-compose --force --no-show-forced-updates
+      '';         
+    };
+ };
+}

services/morss.nix

@@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+{
+  services.nginx.virtualHosts."morss.stubbe.rocks" = {
+        enableACME = true;
+        forceSSL = true;
+	      locations."/".proxyPass = "http://localhost:8000";
+  };
+
+
+}

services/mqtt.nix

@@ -0,0 +1,33 @@
+{ config, pkgs, ... }:
+
+rec {
+   networking.firewall.allowedTCPPorts = [1883];
+
+#   security.acme.certs."mqtt.stubbe.rocks" = {
+#	  email = "mqqt@stubbe.rocks";
+#	  webroot = "/var/www/challenges/";
+#	  allowKeysForGroup = true;
+#	  group = "mosquitto";
+#	  postRun = ''
+#		chmod g+rw -R /var/lib/acme/mqtt.stubbe.rocks    
+#		chown mosquitto:root -R /var/lib/acme/mqtt.stubbe.rocks
+#	  '';
+#          directory = "/var/lib/acme/mqtt.stubbe.rocks"; 	
+#  };
+
+  services.mosquitto = rec {
+        enable = true;
+#	ssl = {
+#		enable = true;
+#		cafile = "/var/lib/acme/mqtt.stubbe.rocks/full.pem";
+#		certfile = "/var/lib/acme/mqtt.stubbe.rocks/cert.pem";
+#		keyfile = "/var/lib/acme/mqtt.stubbe.rocks/key.pem";
+#	};
+	host = "0.0.0.0";
+	checkPasswords = true;
+	users."eeN!ei2eilo1aiT6" = {
+		acl = [ "topic readwrite myink/#" ]; 
+		password = "AS5hoh5ug(ei8eer";
+	};
+  };
+}

services/nextcloud.nix

@@ -1,111 +1,223 @@
+
 { config, pkgs, ... }:
+let
+  myPhp = pkgs.php83.buildEnv {
+    extensions = { enabled, all }: with all; [ imagick opcache apcu redis memcached ] ++ enabled;
+    extraConfig = ''
+ 	opcache.enable=1
+	opcache.enable_cli=1
+        opcache.interned_strings_buffer=32
+        opcache.max_accelerated_files=15000
+        opcache.memory_consumption=256
+        opcache.save_comments=1
+	opcache.validate_timestamps=0
+        opcache.revalidate_freq=60
+	memory_limit=5G
+	post_max_size=5G
+	upload_max_filesize=5G
+	output_buffering=0
+	redis.session.locking_enabled=1
+	redis.session.lock_retries=-1
+	redis.session.lock_wait_time=10000
+	apc.enable_cli=1
+    '';
+  };
+  occ = pkgs.writeScriptBin "nextcloud-occ" ''
+    #! ${pkgs.runtimeShell}
+    cd /var/www/nextcloud
+    sudo=exec
+    if [[ "$USER" != nextcloud ]]; then
+      sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS'
+    fi
+    export NEXTCLOUD_CONFIG_DIR="/var/www/nextcloud/config"
+    $sudo \
+      ${myPhp}/bin/php \
+      occ "$@"
+  '';
 
+  daf = pkgs.writeScriptBin "nextcloud-daf" ''
+    #! ${pkgs.runtimeShell}
+    cd /var/www/nextcloud-tools/rescue
+    sudo=exec
+    if [[ "$USER" != nextcloud ]]; then
+      sudo='exec /run/wrappers/bin/sudo -u nextcloud --preserve-env=NEXTCLOUD_CONFIG_DIR --preserve-env=OC_PASS'
+    fi
+    export NEXTCLOUD_CONFIG_DIR="/var/www/nextcloud/config"
+    $sudo \
+      ${myPhp}/bin/php \
+      decrypt-all-files.php "$@"
+  '';
+
+  phpfpmSocketName = "/run/phpfpm/nextcloud.sock";
+  
+in
 {
-
-    environment.systemPackages = with pkgs; [ nextcloud ];
-
+    users.groups.nextcloud.members = [ "nextcloud" "nginx" ];
     services.nginx.virtualHosts."cloud.stubbe.rocks" = {
         enableACME = true;
         forceSSL = true;
         serverName = "cloud.stubbe.rocks";
         root = "/var/www/nextcloud/";
         extraConfig = ''
+       index index.php index.html /index.php$request_uri;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          add_header X-Robots-Tag "noindex, nofollow";
+          add_header X-Download-Options noopen;
+          add_header X-Permitted-Cross-Domain-Policies none;
+          add_header X-Frame-Options sameorigin;
+          add_header Referrer-Policy no-referrer;
+          add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
           client_max_body_size 1024M;
-          gzip off;
-          error_page 403 /core/templates/403.php;
-          error_page 404 /core/templates/404.php;
+          fastcgi_buffers 64 4K;
+          fastcgi_hide_header X-Powered-By;
+          gzip on;
+          gzip_vary on;
+          gzip_comp_level 4;
+          gzip_min_length 256;
+          gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+          gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+          rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+          rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;
         '';
-
 	locations = {
-          "/robots.txt" = {
-            extraConfig = "allow all;";
+          "= /robots.txt" = {
+            priority = 100;
+            extraConfig = ''
+              allow all;
+              access_log off;
+            '';
           };
-          "/.well-known/carddav" = {
-            extraConfig = "return 301 $scheme://$host/remote.php/dav;";
+         "= /" = {
+            priority = 100;
+            extraConfig = ''
+              if ( $http_user_agent ~ ^DavClnt ) {
+                return 302 /remote.php/webdav/$is_args$args;
+              }
+            '';
           };
-          "/.well-known/caldav" = {
-            extraConfig = "return 301 $scheme://$host/remote.php/dav;";
-          };
-          # Root
           "/" = {
+            priority = 900;
+            extraConfig = "rewrite ^ /index.php;";
+          };
+          "~ ^/store-apps" = {
+            priority = 201;
+            extraConfig = "root /var/lib/nextcloud;";
+          };
+          "~ ^/nix-apps" = {
+            priority = 201;
+            extraConfig = "root /var/lib/nextcloud;";
+          };
+          "^~ /.well-known" = {
+            priority = 210;
             extraConfig = ''
-              rewrite ^ /index.php$uri;
+              absolute_redirect off;
+              location = /.well-known/carddav {
+                return 301 /remote.php/dav/;
+              }
+              location = /.well-known/caldav {
+                return 301 /remote.php/dav/;
+              }
+              location ~ ^/\.well-known/(?!acme-challenge|pki-validation) {
+                return 301 /index.php$request_uri;
+              }
+              try_files $uri $uri/ =404;
             '';
           };
-          # PHP files
-          "~ ^/(?:index|remote|public|cron|core/ajax/update|status|ocs/v[12]|updater/.+|ocs-provider/.+|core/templates/40[34])\\.php(?:$|/)" = {
+          "~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)".extraConfig = ''
+            return 404;
+          '';
+          "~ ^/(?:\\.(?!well-known)|autotest|occ|issue|indie|db_|console)".extraConfig = ''
+            return 404;
+          '';
+          "~ ^\\/(?:index|remote|public|cron|core\\/ajax\\/update|status|ocs\\/v[12]|updater\\/.+|ocs-provider\\/.+|.+\\/richdocumentscode\\/proxy)\\.php(?:$|\\/)" = {
+            priority = 500;
             extraConfig = ''
-              fastcgi_split_path_info ^(.+\\.php)(/.*)$;
-              include ${pkgs.nginx}/conf/fastcgi_params;
+	      include ${config.services.nginx.package}/conf/fastcgi.conf;
+              fastcgi_split_path_info ^(.+?\.php)(\\/.*)$;
+              set $path_info $fastcgi_path_info;
+              try_files $fastcgi_script_name =404;
+              fastcgi_param PATH_INFO $path_info;
               fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
-              fastcgi_param PATH_INFO $fastcgi_path_info;
-              fastcgi_pass unix:/run/phpfpm/nextcloud.sock;
+              fastcgi_param HTTPS "on";
+              fastcgi_param modHeadersAvailable true;
+              fastcgi_param front_controller_active true;
+              fastcgi_pass unix:${phpfpmSocketName};
+              fastcgi_intercept_errors on;
+              fastcgi_request_buffering off;
+              fastcgi_read_timeout 120s;
             '';
           };
-          # CSS and JavaScript files
-          "~* ^/(?!apps-local).*\\.(?:css|js)$" = {
-            tryFiles = "$uri /index.php$uri$is_args$args";
-          };
-          # Other static assets
-          "~* ^/(?!apps-local).*\\.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$" = {
-            tryFiles = "$uri /index.php$uri$is_args$args";
-          };
-          # Locally installed apps:
-          #
-          # No need to specify location for PHP files of installed apps???
-          #
-          # CSS and JavaScript files for installed apps
-          "~* ^/apps-local/.*\\.(?:css|js)$" = {
-            root = "/var/nextcloud";
-            tryFiles = "$uri =404";
-          };
-          # Other static assets for installed apps
-          "~* ^/apps-local/.*\\.(?:svg|gif|png|html|ttf|woff|ico|jpg|jpeg)$" = {
-            root = "/var/nextcloud";
-            tryFiles = "$uri =404";
-          };
-          "~ ^/(?:build|tests|config|lib|3rdparty|templates|data|\\.|autotest|occ|issue|indie|db_|console)" = {
-            extraConfig = "deny all;";
-          };
+          "~ \\.(?:css|js|mjs|svg|gif|png|jpg|ico|wasm|tflite|map|ogg|flac)$".extraConfig = ''
+            try_files $uri /index.php$request_uri;
+            expires 6M;
+            access_log off;
+            location ~ \.mjs$ {
+              default_type text/javascript;
+            }
+            location ~ \.wasm$ {
+              default_type application/wasm;
+            }
+          '';
+          "~ ^\\/(?:updater|ocs-provider)(?:$|\\/)".extraConfig = ''
+            try_files $uri/ =404;
+            index index.php;
+          '';
+          "~ \\.(?:png|html|ttf|ico|jpg|jpeg|bcmap|mp4|webm)$".extraConfig = ''
+            try_files $uri /index.php$request_uri;
+            access_log off;
+          '';
+          "~ \.(otf|woff2?)$".extraConfig = ''
+            try_files $uri /index.php$request_uri;
+            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+            access_log off;     # Optional: Don't log access to assets
+          '';
         };
   };
 
-    users.extraUsers.nextcloud.packages = [
-      pkgs.php
-      pkgs.php71Packages.apcu
-      pkgs.php71Packages.memcached
-      pkgs.php71Packages.redis
-      pkgs.php71Packages.imagick
-    ];
+    environment.systemPackages = [ occ daf ];
 
     # Option I: PHP-FPM pool for Nextcloud
-    services.phpfpm.poolConfigs = let
-      phpfpmSocketName = "/run/phpfpm/nextcloud.sock";
+    services.phpfpm.pools.nextcloud = let
       phpfpmUser = "nextcloud";
       phpfpmGroup = "nextcloud";
       server = "nginx";
     in
     {
-      nextcloud = ''
-        listen = ${phpfpmSocketName}
-        listen.owner = ${server}
-        listen.group = ${server}
-        user = ${phpfpmUser}
-        group = ${phpfpmGroup}
-        pm = ondemand
-        pm.max_children = 4
-        pm.process_idle_timeout = 10s
-        pm.max_requests = 200
-      '';
+      phpPackage = myPhp;
+      settings = {
+        "listen" = "${phpfpmSocketName}";
+        "listen.owner" = "${server}";
+        "listen.group" = "${server}";
+        "user" = "${phpfpmUser}";
+        "group" = "${phpfpmGroup}";
+        "pm" = "dynamic";
+	"pm.max_children" = "120";
+	"pm.start_servers" = "12";
+	"pm.min_spare_servers" = "6";
+	"pm.max_spare_servers" = "18";
+      };
+      phpEnv = {
+        NEXTCLOUD_CONFIG_DIR = "/var/www/nextcloud/config";
+        PATH = "/run/wrappers/bin:/nix/var/nix/profiles/default/bin:/run/current-system/sw/bin:/usr/bin:/bin";
+      };
+  };
+
+services.cron.enable = true;
+services.redis.servers."".enable = true;
+
+systemd.timers.nextcloud-cron = {
+        wantedBy = [ "timers.target" ];
+        timerConfig.OnBootSec = "5m";
+        timerConfig.OnUnitActiveSec = "15m";
+        timerConfig.Unit = "nextcloud-cron.service";
+};
+
+systemd.services.nextcloud-cron = {
+	environment.NEXTCLOUD_CONFIG_DIR = "/var/www/nextcloud/config";
+        serviceConfig.Type = "oneshot";
+        serviceConfig.User = "nextcloud";
+        serviceConfig.ExecStart = "${myPhp}/bin/php --define apc.enable_cli=1 -f /var/www/nextcloud/cron.php";
 };
 
-  services.phpfpm.phpOptions = ''
-      opcache.enable=1
-      opcache.enable_cli=1
-      opcache.interned_strings_buffer=8
-      opcache.max_accelerated_files=10000
-      opcache.memory_consumption=128
-      opcache.save_comments=1
-      opcache.revalidate_freq=1
-'';
 }

services/nexus-vm-opts.patch

@@ -0,0 +1,12 @@
+--- a/bin/nexus	2025-05-02 22:27:48.000000000 +0200
++++ b/bin/nexus	2025-06-09 14:59:58.617397105 +0200
+@@ -139,7 +139,8 @@
+ 
+ cd "$HOME" || exit 1
+ vmoptions_val=""
+-read_vmoptions "nexus.vmoptions"
++VM_OPTS=${VM_OPTS_FILE:-"nexus.vmoptions"}
++read_vmoptions "$VM_OPTS"
+ INSTALL4J_ADD_VM_PARAMS="$INSTALL4J_ADD_VM_PARAMS $vmoptions_val"
+ 
+ # deduce the chosen data directory and prepare log and tmp directories

services/nexus.nix

@@ -0,0 +1,97 @@
+{ config, pkgs, lib, ...}:
+
+let
+  lAddress = "127.0.0.1";
+  lPort = 9081;
+  nexusPkgs = pkgs.nexus.overrideAttrs (oldAttrs: rec {
+    pname = "nexus";
+    version = "3.80.0-06";
+    sourceRoot = "${pname}-${version}";
+    src = pkgs.fetchurl {
+      url = "https://download.sonatype.com/nexus/3/nexus-${version}-linux-x86_64.tar.gz";
+      sha256 = "sha256-+Xr6qmmG1tH2wWv+jyZzkZJMB1hngO51IXLyfwKUfS0=";
+    };
+
+    patches = [
+    # ./nexus-bin.patch
+     ./nexus-vm-opts.patch
+    ];
+
+    postPatch = ''
+      substituteInPlace bin/nexus.vmoptions \
+        --replace-fail ../sonatype-work /var/lib/sonatype-work \
+        --replace-fail =. =$out
+    '';
+
+    installPhase = ''
+      runHook preInstall
+      mkdir -p $out
+      cp -rfv *  $out
+      rm -fv $out/bin/nexus.bat
+      wrapProgram $out/bin/nexus \
+        --set JAVA_HOME ${pkgs.jdk17_headless} \
+        --set ALTERNATIVE_NAME "nexus" \
+        --prefix PATH "${lib.makeBinPath [ pkgs.gawk ]}"
+      runHook postInstall
+    '';
+});
+
+home ="/var/lib/sonatype-work";
+
+package = nexusPkgs;
+
+in
+{
+  services.nginx.virtualHosts."nexus.stubbe.rocks" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "http://${lAddress}:${toString lPort}";
+  };
+
+  services.nexus= {
+    enable = true;
+    listenAddress = lAddress;
+    listenPort = lPort;
+    package = nexusPkgs;
+    jvmOpts = ''
+  -Xms2703m
+  -Xmx2703m
+  -XX:+UnlockDiagnosticVMOptions
+  -XX:+LogVMOutput
+  -XX:LogFile=${home}/nexus3/log/jvm.log
+  -XX:-OmitStackTraceInFastThrow
+  -Djava.net.preferIPv4Stack=true
+  -Dkaraf.home=${package}
+  -Dkaraf.base=${package}
+  -Dkaraf.etc=${package}/etc/karaf
+  -Djava.util.logging.config.file=${package}/etc/karaf/java.util.logging.properties
+  -Dkaraf.data=${home}/nexus3
+  -Djava.io.tmpdir=${home}/nexus3/tmp
+  -Djdk.tls.ephemeralDHKeySize=2048
+  --add-reads=java.xml=java.logging
+--add-opens
+java.base/java.security=ALL-UNNAMED
+--add-opens
+java.base/java.net=ALL-UNNAMED
+--add-opens
+java.base/java.lang=ALL-UNNAMED
+--add-opens
+java.base/java.util=ALL-UNNAMED
+--add-opens
+java.naming/javax.naming.spi=ALL-UNNAMED
+--add-opens
+java.rmi/sun.rmi.transport.tcp=ALL-UNNAMED
+--add-exports=java.base/sun.net.www.protocol.http=ALL-UNNAMED
+--add-exports=java.base/sun.net.www.protocol.https=ALL-UNNAMED
+--add-exports=java.base/sun.net.www.protocol.jar=ALL-UNNAMED
+--add-exports=jdk.xml.dom/org.w3c.dom.html=ALL-UNNAMED
+--add-exports=jdk.naming.rmi/com.sun.jndi.url.rmi=ALL-UNNAMED
+--add-exports=java.security.sasl/com.sun.security.sasl=ALL-UNNAMED
+--add-exports=java.base/sun.security.x509=ALL-UNNAMED
+--add-exports=java.base/sun.security.rsa=ALL-UNNAMED
+--add-exports=java.base/sun.security.pkcs=ALL-UNNAMED
+'';
+  };
+
+  programs.nix-ld.enable = true;
+}

services/nginx.nix

@@ -6,6 +6,7 @@
 networking.firewall.allowedTCPPorts = [80 443 ];
 
 services.nginx = {
+	appendHttpConfig= ''server_names_hash_bucket_size 64;'';
         enable = true;
 	sslProtocols = "TLSv1 TLSv1.1 TLSv1.2";
 #	sslCiphers = "DHE+RSA+AES128+SHA:EECDH+aRSA+AESGCM:EDH+aRSA:EECDH+aRSA:+AES256:+AES128:+SHA1:!CAMELLIA:!SEED:!3DES:!DES:!RC4:!eNULL";
@@ -15,3 +16,4 @@ services.nginx = {
         recommendedTlsSettings = false;
     };
 }
+

services/postgres.nix

@@ -0,0 +1,9 @@
+{ config, pkgs, ... }:
+
+{
+  # used for gitea and nextcloud
+  services.postgresql =  {
+ 	enable = true;
+	package = pkgs.postgresql_18;
+  };
+}

services/sks.nix

@@ -7,7 +7,7 @@
   };
 
   services.sks.enable = true;
-
+  services.sks.extraDbConfig = "set_flags DB_LOG_AUTOREMOVE";
   networking.firewall.allowedTCPPorts = [ config.services.sks.hkpPort];
   services.pgpkeyserver-lite.enable = true;
   services.pgpkeyserver-lite.hostname = "keys.stubbe.rocks";

services/sshd.nix

@@ -2,7 +2,7 @@
 
 {
   services.openssh.enable = true;
-  services.openssh.passwordAuthentication = false;
-  services.openssh.challengeResponseAuthentication = false;
-  services.openssh.permitRootLogin = "no";
+  services.openssh.settings.PasswordAuthentication = false;
+  services.openssh.settings.KbdInteractiveAuthentication = false;
+  services.openssh.settings.PermitRootLogin = "no";
 }

services/teamspeak.nix

@@ -1,5 +1,7 @@
 { config, pkgs, ... }:
-
+let 
+    unstable = import <nixos-unstable> { config = {  allowUnfree = true; }; };
+in
 {
     networking.firewall.allowedTCPPorts = [ 
 	30033 # ts TCP port opened for file transfers.
@@ -10,6 +12,10 @@
 	9987 # ts port
     ];
 
+    nixpkgs.config.packageOverrides = pkgs: {
+	teamspeak_server = unstable.teamspeak_server;
+   };
+
     services.teamspeak3= {
         enable = true;
     };

services/unciv.nix

@@ -0,0 +1,15 @@
+{ config, pkgs, ... }:
+
+let
+
+  uc = pkgs.callPackage ../module/unciv/unciv.nix {
+    port = "9880";
+    nginxIsDefault = false;
+  };
+
+in
+{
+
+ systemd.services.unciv = uc.systemd.services.unciv;
+ services.nginx.virtualHosts."unciv.stubbe.rocks" = uc.nginx.virtualHosts.unciv;  
+}

services/vaheim.nix

@@ -0,0 +1,35 @@
+{ config, pkgs, ... }:
+
+let
+
+ runEnv = (pkgs.buildFHSUserEnv {
+    name = "vaheim-env";
+    targetPkgs = pkgs: (with pkgs;
+    [
+	file
+    ]);
+    runScript = ''
+       bash ./start_server.sh
+    '';
+  });
+
+in
+{
+
+  networking.firewall.allowedTCPPorts = [2456 2457 2458];
+  networking.firewall.allowedUDPPorts = [2456 2457 2458];
+
+  systemd.services.vaheim = {
+    description = "vaheim";
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+    serviceConfig = {
+      Type = "simple";
+      User = "sshuser";
+      Group = "users";
+      WorkingDirectory = "/home/sshuser/valheim_neu";
+      ExecStart = "${runEnv}/bin/vaheim-env";
+      Restart = "always";
+    };
+  };
+}

services/wg0.key

@@ -0,0 +1 @@
+qGHCeu53Sf6I8FUemPb36/nWbteef6H1Iz6BvE8/ek8=

services/wireguard.nix

@@ -0,0 +1,20 @@
+{ config, pkgs, ... }:
+
+{
+
+  environment.systemPackages = [ pkgs.wireguard ];
+  networking.firewall.allowedTCPPorts = [ 51820 ];
+  networking.firewall.allowedUDPPorts = [ 51820 ];
+  networking.wireguard.interfaces.wg0 = {
+    listenPort = 51820;
+    privateKeyFile = "/etc/nixos/services/wg0.key";
+    ips = [ "192.168.43.1/32" ];
+    peers = [
+      {
+        allowedIPs = ["192.168.43.2/32"];
+        publicKey = "wbeCSyurE/kiXooaqieRgoDHJiDBiw/CHvF5e+LCPlw=";
+        persistentKeepalive = 25;
+      }
+      ];
+  };
+}

services/xkcd-password.nix

@@ -0,0 +1,11 @@
+{ config, pkgs, ... }:
+
+{
+  services.nginx.virtualHosts."xkcd-pw.stubbe.rocks" = {
+        enableACME = true;
+        forceSSL = true;
+	      locations."/".proxyPass = "http://localhost:8080";
+  };
+
+
+}

users.nix

@@ -5,19 +5,21 @@ let
     openssh.authorizedKeys.keys = [
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDKShnz3ceVcg3axVXv/GGcjyFAfcjuDR1i5o6JzVvnmlWpWvClnYSBNb/oEDDq5pSPSBvCYp2HwZpmkYEV/C3lBbUsmLtOlUrzkm0ibgHraTVyHUq3OSYckXEvUYRCCtGqvRRehERrhPZV6oXBE8aBUk26xTpOJpLFPy7spF4sBwKPSE2igTIYtJSfJYi3wn2KoW1q1RLMasC4fdvgNCVIxxBq72uMcRUcPc4jL8n11UFfepJrwSQ7Z7KxsZXdz5JFVl6QEE6cVSSEAuuEefNYANrp5S3h/lUowrUOcu0ml2c7CJWPpaOb4GvFlio4woc0lCATrA2341V0xshl40Xd dev@stubbfel"
       "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjKB6Pr/hvKhwwwXoTtAy3r68JwUo7WyueSJbUkuk4hkLCtkD/LZ9ZavOzY6PEaQsTW7qcRNxUB4FjHX26pRCfB1U9TVBsE6gEgCYcuSBjKGgIOeeCSufJ2N3xUsaO+MBpnBPfgAJeUwFdSZLH1lv981adZ3IlkjQkj6oGfMK5aJv0P+bJjhmI5Ym5K0hMD6UOI2qRFEOjkO/49G7zf/0SegZAU9ySexRCvPw5g2ilRUqrIsv1Z9HMu+dYKlZq9QvWgbgv5K2oKuL4oBydQ/PomBauQkwyFRkRvPo1gCJOBvwduZvVE7QQoBXYsNSv+fsPu1s2OOSzAKCyvIMjQ34z user@stubbfel"
+	  "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDjlSTPEBtQhs7pRe17pvApLvtJfwbvxygZURnjGho/svAraMAYOYmDlaoxhYgk6VYS4mmuRpVQZpsq12PqeoFfOPh4cGLQTE5zEzqQWwg7vdRut/eFQCh2KQbWy0eWIK8kEZ4c2xu+YH6YQZ0sRTYPhLooTeOGGflKko7RjCyBZnNbjehIwW+aRCqe//HhFCYOay3ow3TKpDqfo0DF9Ps3sS9un2Tx4uVQUsbybUv6OdpprhPsfHf8THnKcHqIYjkUxJpcX3ZJsA9tNCs8cs7KlsFa4a0AhZ4NaSn4+HI2OQwuPFU/c0o4VwNdF7T71MOMqOoAmE5/ZZer+PGNIRaj user@stubbfel_pc"
+      "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDDAUuWrss+AJp+DpFuyMhNEmrdOQX2t9EGonSs6nFmzY3cjb453k/2BL8r6djIUihywT2SxTxyDrYYVoJNNPCoU6I29uNDuvHmK3zAe1lPmKlw10KN7D38y43rkhFgX28lIMcl1evt/UqN/vVo/ihlMlCxeK1lEnh9UOPKDWn38b6tr4YPYDiDgs1AgE9MG0W8OKNTtLAT4Z0oUbDPsRyntXFelvMZi8Q4+VLUML1pY8Chf35sSs8nHJTTuRwgtLMzvGUkMGTAPJtMjx63bGFpe2xrhnf7+cyfPqNOHAuLyVbObHSzLNL8Rq/BtCYPp923FQHWwYdkkP62XBb6wXsXn0r+dnqMIv9Jqu/r1/4Oz7vFG5T0yvBju5ZB20HtsmiGMk68W0ZabFgZIoSPvE8hAM8aF0yxu6LrY4P8AHb0iCQq7V04FLfpMCdRHzAbbCWEMR3IH5aaixfwl7HnA9mgkBIF78pZiFch/NMjhs/4/T56t+t/vTmArJRAGgmv408= stubbfel@stubbfel-pinebook"
     ];
   };
 in
 {
 
-    virtualisation.docker.enable = true;
+#    virtualisation.docker.enable = true;
 
     users = {
         defaultUserShell = pkgs.zsh;
-	extraUsers.etherpad = myPublicSshKeys //  { isNormalUser = true;  home = "/home/etherpad";};
+#	extraUsers.etherpad = myPublicSshKeys //  { isNormalUser = true;  home = "/home/etherpad";};
         extraUsers.sshuser = myPublicSshKeys //  { isNormalUser = true;  home = "/home/sshuser";};
-        extraUsers.nextcloud = myPublicSshKeys //  { isNormalUser = true;  home = "/home/nextcloud"; group = "nextcloud";};
-        extraUsers.ledebuild = myPublicSshKeys //  { isNormalUser = true;  home = "/home/ledebuild"; extraGroups = [ "docker" ];};
+        extraUsers.nextcloud = myPublicSshKeys //  { isSystemUser = true;  home = "/home/nextcloud"; createHome= true; group = "nextcloud";};
+#        extraUsers.ledebuild = myPublicSshKeys //  { isNormalUser = true;  home = "/home/ledebuild"; extraGroups = [ "docker" ];};
 #        extraUsers.gitea = myPublicSshKeys //  { isNormalUser = true;  home = "/home/gitea"; };
         extraGroups.nexdcloud.name = "nextcloud";
     };