diff --git a/hosts/default.nix b/hosts/default.nix index a23a65f..63dee24 100644 --- a/hosts/default.nix +++ b/hosts/default.nix @@ -10,10 +10,6 @@ in cadmium = { system = "x86_64-linux"; }; - weinturm-pretix-prod = { - system = "aarch64"; - targetHost = "142.132.185.70"; - }; iron = { system = "x86_64-linux"; #targetHost = "192.168.42.1"; diff --git a/hosts/weinturm-pretix-prod/configuration.nix b/hosts/weinturm-pretix-prod/configuration.nix deleted file mode 100644 index 774ab83..0000000 --- a/hosts/weinturm-pretix-prod/configuration.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ ... }: { - imports = [ - ./hardware-configuration.nix - ../../users/jalr - ./services - ./ports.nix - ]; - - networking.hostName = "weinturm-pretix-prod"; - - networking.useDHCP = false; - - systemd.network = { - enable = true; - networks."10-wan" = { - matchConfig.Name = "enp1s0"; - networkConfig.DHCP = "no"; - address = [ - "142.132.185.70/32" - "2a01:4f8:c012:edd::/64" - ]; - routes = [ - { - Destination = "172.31.1.1"; - } - { - Gateway = "172.31.1.1"; - GatewayOnLink = true; - } - { - Gateway = "fe80::1"; - } - ]; - }; - }; - - zramSwap = { - enable = true; - algorithm = "zstd"; - memoryPercent = 60; - priority = 1; - }; - - security.sudo.wheelNeedsPassword = false; - - services.netdata.enable = true; - - jalr = { - bootloader = "systemd-boot"; - uefi.enable = true; - }; - - system.stateVersion = "24.05"; -} diff --git a/hosts/weinturm-pretix-prod/hardware-configuration.nix b/hosts/weinturm-pretix-prod/hardware-configuration.nix deleted file mode 100644 index 178664e..0000000 --- a/hosts/weinturm-pretix-prod/hardware-configuration.nix +++ /dev/null @@ -1,64 +0,0 @@ -{ lib, modulesPath, ... }: -{ - imports = [ (modulesPath + "/profiles/qemu-guest.nix") ]; - - boot = { - initrd = { - availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ]; - kernelModules = [ ]; - }; - kernelModules = [ ]; - extraModulePackages = [ ]; - }; - - fileSystems = { - "/" = { - device = "/dev/disk/by-uuid/766739e7-2c5c-4c28-b6ee-4bf9f91e6b1f"; - fsType = "btrfs"; - options = [ - "subvol=root" - "compress=zstd" - ]; - }; - "/proc" = { - device = "/proc"; - options = [ "nosuid" "noexec" "nodev" "hidepid=2" ]; - }; - "/home" = { - device = "/dev/disk/by-uuid/766739e7-2c5c-4c28-b6ee-4bf9f91e6b1f"; - fsType = "btrfs"; - options = [ - "subvol=home" - "compress=zstd" - "nodev" - "nosuid" - ]; - }; - "/nix" = { - device = "/dev/disk/by-uuid/766739e7-2c5c-4c28-b6ee-4bf9f91e6b1f"; - fsType = "btrfs"; - options = [ - "subvol=nix" - "compress=zstd" - "noatime" - "nodev" - ]; - }; - "/boot" = { - device = "/dev/disk/by-uuid/A586-15AC"; - fsType = "vfat"; - options = [ "nodev" "nosuid" "noexec" ]; - }; - }; - - swapDevices = [ ]; - - # Enables DHCP on each ethernet and wireless interface. In case of scripted networking - # (the default) this is the recommended approach. When using systemd-networkd it's - # still possible to use this option, but it's recommended to use it in conjunction - # with explicit per-interface declarations with `networking.interfaces..useDHCP`. - networking.useDHCP = lib.mkDefault true; - # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true; - - nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux"; -} diff --git a/hosts/weinturm-pretix-prod/ports.nix b/hosts/weinturm-pretix-prod/ports.nix deleted file mode 100644 index c41bae4..0000000 --- a/hosts/weinturm-pretix-prod/ports.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ custom-utils, ... }: - -{ - config.networking.ports = custom-utils.validatePortAttrset { - nginx-http.tcp = 80; - nginx-https.tcp = 443; - postfix-relay.tcp = 25; - postfix-submission.tcp = 465; - }; -} diff --git a/hosts/weinturm-pretix-prod/secrets.yaml b/hosts/weinturm-pretix-prod/secrets.yaml deleted file mode 100644 index 11052e5..0000000 --- a/hosts/weinturm-pretix-prod/secrets.yaml +++ /dev/null @@ -1,33 +0,0 @@ -pretix-cfg: ENC[AES256_GCM,data:sfgKDr9aNOdwlumoltRuD7u1ksykFdEKtzt3MldjQnG0b4iAEspEhjcxqaNvPpXYm8EZKtsLBBQgdd1ifyQgs3k69c/GfzQ/jZ/yQ2OUkCO7U9A=,iv:FADYpPbGEEM/pD6EI85s9wVMv8yMrGJa+miE25XQ+t8=,tag:WJ9LHCNFHSr9RmmUi6hxnw==,type:str] -pretix-banktool-cfg: ENC[AES256_GCM,data:qHo4qfjDAe1wwdMa/HH5vgySO1XSBLQBouY8mUFlZiSI2lLCQgjQRzBu0C/p3FPqFkydtz2LEkQ6Cs/Zu0NbYB36CSinISZbGJABaNcF8mGJYKkohXF8GDYRNe7g5gxrKQlHWuPjChzxWRVLEV7VypYXE7Iad2tiiz4ZTxWZr8ylBLIbvCT1lWQU6rN4H6DjdI3gL0wmvHBg027xoelUME/g1bZvvkG3hw94Z8UKrFdZ9/DWqQ9G/VHRk0hVuBW6/b1VWooq3EF/JDEFO2oi7xW/TnwF5YMMkBQGS0b+pxK/rT6ir1DQywfFhSU09nWnRT/jw270QAwk762359e8+jl+p43dp6o+Ll1kzDQ9jbi5e2uXZrBaZGtnjDNLJHEFDJWpHtYmXNRIq4AQs/8cKaYx8uAXOTANE45GUiVpoA+m3clc02ABpBrHBENeKmJw/smGSbUKFnsu6WgigEyme8TxIMqiHghpppTzLDCZYXpBH+2n+eXNX2ovNA==,iv:kihK0wFCwvUUQg5+aKqQ6YNRyJjPvYllh0oVxJnee2w=,tag:InZaflGdiz7lXP2V+ZsyoA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1djjxl3lcvzs85nj0met6w8ujsz8pvr6ngmmdwlxfh0k9d5lkrpdqlzzehf - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3MjRZRzI5WDNSYXNNOXBE - enNUdi9aWjRzMlU3THVMcGd2eC9zb0wwMFFZCnRQbUh6L3lxS1FKS2pqdUQ0aHg1 - K3dlNDhSK2VvYjdjRGppNTV5SE8zbUUKLS0tIHN0QldlNXJtRmRLL2c3SEU3eWkr - MGh3UVh2R05WWDU3SDVFKzdvODRGQVUKo1u58Ra1dhAfBmv3xwLk/6+6/mFPJn0Z - FyL7yjU6JMWzR/8FUv5lJAubudiZ8MnuH+10deGvQnT5AxG9fNzi5w== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-28T13:17:03Z" - mac: ENC[AES256_GCM,data:Ytsc+CdGosiIkIS/Ck6YIYMFgSArM9o6VR9Hx4B1xlWUQV9DfUuJ+5Ev6SuAPfIhXLfBEpbAzmfqZaYq81M+tERQxYXEuOiz9+l/5j9hOTlrfporscz4Jb8wrPDOTj8kTVbWF9K73uB08zla4T+y5N735DBb+YOpztDouoLO1rw=,iv:vu78iCIv6M5vO4mLhlBTRl7cpys4BBsdPWnRUqd+Fmo=,tag:/GlbV2/IhRZuXNkzSVwOMQ==,type:str] - pgp: - - created_at: "2024-01-31T01:20:41Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DY/xpNY5WhB0SAQdAj+5TReNbi6wBP+ftlrJK9jfrHor2FveQMlmHsfHGkjMw - lGlhoHuDnRbVCWC4ruHGFtOclvw2Kjja7ZWbc+7CX34KREAETN89Jic2tGmQKY9q - 0l4B2gqyXsnrpD/n+gOJlnpZcxlUX0iriO5POEf9czTsFKRFnTdZcAX+7Dgv7Iqn - TkJJLYo64mpV3TPvcj2UlejcANcNV82gDWwIbLdKs2UPdFVJqfpP2z6V5bQCML/y - =4iJS - -----END PGP MESSAGE----- - fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9 - unencrypted_suffix: _unencrypted - version: 3.9.4 diff --git a/hosts/weinturm-pretix-prod/services/default.nix b/hosts/weinturm-pretix-prod/services/default.nix deleted file mode 100644 index 731194c..0000000 --- a/hosts/weinturm-pretix-prod/services/default.nix +++ /dev/null @@ -1,5 +0,0 @@ -{ - imports = [ - ./pretix.nix - ]; -} diff --git a/hosts/weinturm-pretix-prod/services/pretix.nix b/hosts/weinturm-pretix-prod/services/pretix.nix deleted file mode 100644 index 94fa3ab..0000000 --- a/hosts/weinturm-pretix-prod/services/pretix.nix +++ /dev/null @@ -1,110 +0,0 @@ -{ config, lib, ... }: - -let - cfg = config.services.pretix; - inherit (config.networking) ports; - domain = "tickets.weinturm-open-air.de"; - extraDomains = [ - "tickets.weinturm.jalr.de" - "tickets.wasted-openair.de" - "oel.wasted-openair.de" - "tickets.buendnis-gegen-rechts-nea.de" - ]; - gunicornWorkers = 4; - secretsFile = ../secrets.yaml; -in -{ - sops.secrets = { - pretix-cfg = { - sopsFile = secretsFile; - }; - pretix-banktool-cfg = { - sopsFile = secretsFile; - }; - }; - - # Add user to `redis-pretix` group - # to grant access to /run/redis-pretix/redis.sock - users.users.pretix.extraGroups = [ "redis-pretix" ]; - - networking.firewall.allowedTCPPorts = [ 80 443 ]; - - security.acme = { - acceptTerms = true; - defaults.email = lib.mkForce "helfer@weinturm-open-air.de"; - }; - - jalr.mailserver = { - enable = true; - fqdn = "tickets.weinturm-open-air.de"; - relayPort = ports.postfix-relay.tcp; - domains = [ - { - domain = "tickets.weinturm-open-air.de"; - enableDKIM = false; - } - ]; - messageSizeLimit = 10 * 1024 * 1024; - users = [ ]; - spam.enable = false; - }; - - services = { - pretix = { - enable = true; - settings = { - pretix = { - instance_name = "Digitaler Dienst GmbH"; - url = "https://${domain}"; - registration = false; - password_reset = true; - }; - locale = { - default = "de"; - timezone = "Europe/Berlin"; - }; - mail = { - from = "no-reply@tickets.weinturm-open-air.de"; - }; - redis.location = "unix:///run/redis-pretix/redis.sock?db=0"; - celery.backend = "redis+socket:///run/redis-pretix/redis.sock?virtual_host=2"; - celery.broker = "redis+socket:///run/redis-pretix/redis.sock?virtual_host=1"; - }; - nginx = { - enable = true; - inherit domain; - }; - gunicorn = { - extraArgs = [ - "--workers=${toString gunicornWorkers}" - ]; - }; - }; - - pretix-banktool = { - enable = true; - days = 14; - secretsFile = config.sops.secrets.pretix-banktool-cfg.path; - }; - - nginx = lib.mkIf cfg.nginx.enable { - recommendedGzipSettings = true; - recommendedOptimisation = true; - recommendedProxySettings = true; - recommendedTlsSettings = true; - virtualHosts = { - "${cfg.nginx.domain}" = { - enableACME = true; - forceSSL = true; - kTLS = true; - extraConfig = '' - add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always; - more_set_headers Referrer-Policy same-origin; - more_set_headers X-Content-Type-Options nosniff; - ''; - serverAliases = extraDomains; - }; - }; - }; - }; -} diff --git a/pkgs/default.nix b/pkgs/default.nix index 2eb4b51..5a27c44 100644 --- a/pkgs/default.nix +++ b/pkgs/default.nix @@ -23,7 +23,6 @@ in inherit poetry2nix; }; pomodoro-timer = callPackage ./pomodoro-timer { }; - pretix-banktool = callPackage ./pretix-banktool { }; tabbed-box-maker = callPackage ./tabbed-box-maker { }; vesc-firmware = callPackage ./vesc-tool/firmware.nix { }; vesc-tool = callPackage ./vesc-tool/tool.nix { }; diff --git a/pkgs/modules.nix b/pkgs/modules.nix index 8a82e06..067cbc4 100644 --- a/pkgs/modules.nix +++ b/pkgs/modules.nix @@ -3,6 +3,5 @@ ./asterisk-sounds-de/module.nix ./ksoloti/module.nix ./myintercom-doorbell/module.nix - ./pretix-banktool/module.nix ]; } diff --git a/pkgs/pretix-banktool/default.nix b/pkgs/pretix-banktool/default.nix deleted file mode 100644 index d685c12..0000000 --- a/pkgs/pretix-banktool/default.nix +++ /dev/null @@ -1,27 +0,0 @@ -{ python3Packages, fetchFromGitHub }: -python3Packages.buildPythonApplication rec { - name = "pretix-banktool"; - version = "1.0.0"; - - src = fetchFromGitHub { - owner = "pretix"; - repo = "pretix-banktool"; - rev = "v${version}"; - sha256 = "vYHjotx1RujPV53Ei7bXAc3kL/3cwbWQB1T3sQ15MFA="; - }; - - patches = [ - ./requirements.patch - ]; - - buildInputs = with python3Packages; [ - pip - ]; - - propagatedBuildInputs = with python3Packages; [ - click - fints - mt-940 - requests - ]; -} diff --git a/pkgs/pretix-banktool/module.nix b/pkgs/pretix-banktool/module.nix deleted file mode 100644 index 9c58157..0000000 --- a/pkgs/pretix-banktool/module.nix +++ /dev/null @@ -1,49 +0,0 @@ -{ config, lib, pkgs, ... }: - -let - cfg = config.services.pretix-banktool; -in -{ - options.services.pretix-banktool = with lib; with lib.types; { - enable = mkEnableOption "Enable tool to query bank account and sync transaction data to pretix server."; - days = mkOption { - type = types.int; - description = "The timeframe of transaction to fetch from the bank in days."; - }; - secretsFile = mkOption { - type = types.path; - description = '' - Path of file containing secrets for pretix banktool. - ''; - }; - }; - config = { - systemd.services.pretix-banktool = lib.mkIf cfg.enable { - description = "Tool to query bank account and sync transaction data to pretix server."; - serviceConfig = { - Type = "oneshot"; - DynamicUser = true; - CapabilityBoundingSet = null; - PrivateUsers = true; - ProtectHome = true; - RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]; - RestrictNamespaces = true; - SystemCallFilter = "@system-service"; - LoadCredential = "config:${cfg.secretsFile}"; - }; - script = "${pkgs.pretix-banktool}/bin/pretix-banktool upload \"$CREDENTIALS_DIRECTORY/config\" --days=${toString cfg.days}"; - }; - - systemd.timers.pretix-banktool = lib.mkIf cfg.enable { - description = "Run tool to query bank account and sync transaction data to pretix server."; - after = [ "network.target" ]; - wantedBy = [ "timers.target" ]; - timerConfig = { - Persistent = true; - OnCalendar = "*-*-* *:00:00"; - Unit = "pretix-banktool.service"; - }; - }; - }; -} - diff --git a/pkgs/pretix-banktool/requirements.patch b/pkgs/pretix-banktool/requirements.patch deleted file mode 100644 index cb78385..0000000 --- a/pkgs/pretix-banktool/requirements.patch +++ /dev/null @@ -1,18 +0,0 @@ -diff --git a/setup.py b/setup.py -index 2eba88a..7041acd 100644 ---- a/setup.py -+++ b/setup.py -@@ -19,8 +19,8 @@ setup( - author_email='mail@raphaelmichel.de', - - install_requires=[ -- 'click==6.*', -- 'fints>=3.0.*', -+ 'click>=6,<8.2', -+ 'fints>=3,<4.1', - 'requests', -- 'mt-940>=4.12*', -+ 'mt-940==4.30.0', - ], --- -2.38.3