jalr/nixos-configuration
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Remove pretix

Browse source
This commit is contained in:
Jakob Lechner 2025-05-03 00:18:51 +02:00
parent 391e4dd825
commit 2fe63eab34
12 changed files with 0 additions and 376 deletions
Download patch file Download diff file Expand all files Collapse all files

4
hosts/default.nix
View file

@ -10,10 +10,6 @@ in
cadmium = {
system = "x86_64-linux";
};
weinturm-pretix-prod = {
system = "aarch64";
targetHost = "142.132.185.70";
};
iron = {
system = "x86_64-linux";
#targetHost = "192.168.42.1";

54
hosts/weinturm-pretix-prod/configuration.nix
View file

@ -1,54 +0,0 @@
{ ... }: {
imports = [
./hardware-configuration.nix
../../users/jalr
./services
./ports.nix
];
networking.hostName = "weinturm-pretix-prod";
networking.useDHCP = false;
systemd.network = {
enable = true;
networks."10-wan" = {
matchConfig.Name = "enp1s0";
networkConfig.DHCP = "no";
address = [
"142.132.185.70/32"
"2a01:4f8:c012:edd::/64"
];
routes = [
{
Destination = "172.31.1.1";
}
{
Gateway = "172.31.1.1";
GatewayOnLink = true;
}
{
Gateway = "fe80::1";
}
];
};
};
zramSwap = {
enable = true;
algorithm = "zstd";
memoryPercent = 60;
priority = 1;
};
security.sudo.wheelNeedsPassword = false;
services.netdata.enable = true;
jalr = {
bootloader = "systemd-boot";
uefi.enable = true;
};
system.stateVersion = "24.05";
}

64
hosts/weinturm-pretix-prod/hardware-configuration.nix
View file

@ -1,64 +0,0 @@
{ lib, modulesPath, ... }:
{
imports = [ (modulesPath + "/profiles/qemu-guest.nix") ];
boot = {
initrd = {
availableKernelModules = [ "xhci_pci" "virtio_pci" "virtio_scsi" "usbhid" "sr_mod" ];
kernelModules = [ ];
};
kernelModules = [ ];
extraModulePackages = [ ];
};
fileSystems = {
"/" = {
device = "/dev/disk/by-uuid/766739e7-2c5c-4c28-b6ee-4bf9f91e6b1f";
fsType = "btrfs";
options = [
"subvol=root"
"compress=zstd"
];
};
"/proc" = {
device = "/proc";
options = [ "nosuid" "noexec" "nodev" "hidepid=2" ];
};
"/home" = {
device = "/dev/disk/by-uuid/766739e7-2c5c-4c28-b6ee-4bf9f91e6b1f";
fsType = "btrfs";
options = [
"subvol=home"
"compress=zstd"
"nodev"
"nosuid"
];
};
"/nix" = {
device = "/dev/disk/by-uuid/766739e7-2c5c-4c28-b6ee-4bf9f91e6b1f";
fsType = "btrfs";
options = [
"subvol=nix"
"compress=zstd"
"noatime"
"nodev"
];
};
"/boot" = {
device = "/dev/disk/by-uuid/A586-15AC";
fsType = "vfat";
options = [ "nodev" "nosuid" "noexec" ];
};
};
swapDevices = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault true;
# networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "aarch64-linux";
}

10
hosts/weinturm-pretix-prod/ports.nix
View file

@ -1,10 +0,0 @@
{ custom-utils, ... }:
{
config.networking.ports = custom-utils.validatePortAttrset {
nginx-http.tcp = 80;
nginx-https.tcp = 443;
postfix-relay.tcp = 25;
postfix-submission.tcp = 465;
};
}

33
hosts/weinturm-pretix-prod/secrets.yaml
View file

@ -1,33 +0,0 @@
pretix-cfg: ENC[AES256_GCM,data:sfgKDr9aNOdwlumoltRuD7u1ksykFdEKtzt3MldjQnG0b4iAEspEhjcxqaNvPpXYm8EZKtsLBBQgdd1ifyQgs3k69c/GfzQ/jZ/yQ2OUkCO7U9A=,iv:FADYpPbGEEM/pD6EI85s9wVMv8yMrGJa+miE25XQ+t8=,tag:WJ9LHCNFHSr9RmmUi6hxnw==,type:str]
pretix-banktool-cfg: ENC[AES256_GCM,data:qHo4qfjDAe1wwdMa/HH5vgySO1XSBLQBouY8mUFlZiSI2lLCQgjQRzBu0C/p3FPqFkydtz2LEkQ6Cs/Zu0NbYB36CSinISZbGJABaNcF8mGJYKkohXF8GDYRNe7g5gxrKQlHWuPjChzxWRVLEV7VypYXE7Iad2tiiz4ZTxWZr8ylBLIbvCT1lWQU6rN4H6DjdI3gL0wmvHBg027xoelUME/g1bZvvkG3hw94Z8UKrFdZ9/DWqQ9G/VHRk0hVuBW6/b1VWooq3EF/JDEFO2oi7xW/TnwF5YMMkBQGS0b+pxK/rT6ir1DQywfFhSU09nWnRT/jw270QAwk762359e8+jl+p43dp6o+Ll1kzDQ9jbi5e2uXZrBaZGtnjDNLJHEFDJWpHtYmXNRIq4AQs/8cKaYx8uAXOTANE45GUiVpoA+m3clc02ABpBrHBENeKmJw/smGSbUKFnsu6WgigEyme8TxIMqiHghpppTzLDCZYXpBH+2n+eXNX2ovNA==,iv:kihK0wFCwvUUQg5+aKqQ6YNRyJjPvYllh0oVxJnee2w=,tag:InZaflGdiz7lXP2V+ZsyoA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1djjxl3lcvzs85nj0met6w8ujsz8pvr6ngmmdwlxfh0k9d5lkrpdqlzzehf
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3MjRZRzI5WDNSYXNNOXBE
enNUdi9aWjRzMlU3THVMcGd2eC9zb0wwMFFZCnRQbUh6L3lxS1FKS2pqdUQ0aHg1
K3dlNDhSK2VvYjdjRGppNTV5SE8zbUUKLS0tIHN0QldlNXJtRmRLL2c3SEU3eWkr
MGh3UVh2R05WWDU3SDVFKzdvODRGQVUKo1u58Ra1dhAfBmv3xwLk/6+6/mFPJn0Z
FyL7yjU6JMWzR/8FUv5lJAubudiZ8MnuH+10deGvQnT5AxG9fNzi5w==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-02-28T13:17:03Z"
mac: ENC[AES256_GCM,data:Ytsc+CdGosiIkIS/Ck6YIYMFgSArM9o6VR9Hx4B1xlWUQV9DfUuJ+5Ev6SuAPfIhXLfBEpbAzmfqZaYq81M+tERQxYXEuOiz9+l/5j9hOTlrfporscz4Jb8wrPDOTj8kTVbWF9K73uB08zla4T+y5N735DBb+YOpztDouoLO1rw=,iv:vu78iCIv6M5vO4mLhlBTRl7cpys4BBsdPWnRUqd+Fmo=,tag:/GlbV2/IhRZuXNkzSVwOMQ==,type:str]
pgp:
- created_at: "2024-01-31T01:20:41Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DY/xpNY5WhB0SAQdAj+5TReNbi6wBP+ftlrJK9jfrHor2FveQMlmHsfHGkjMw
lGlhoHuDnRbVCWC4ruHGFtOclvw2Kjja7ZWbc+7CX34KREAETN89Jic2tGmQKY9q
0l4B2gqyXsnrpD/n+gOJlnpZcxlUX0iriO5POEf9czTsFKRFnTdZcAX+7Dgv7Iqn
TkJJLYo64mpV3TPvcj2UlejcANcNV82gDWwIbLdKs2UPdFVJqfpP2z6V5bQCML/y
=4iJS
-----END PGP MESSAGE-----
fp: 3044E71E3DEFF49B586CF5809BF4FCCB90854DA9
unencrypted_suffix: _unencrypted
version: 3.9.4

5
hosts/weinturm-pretix-prod/services/default.nix
View file

@ -1,5 +0,0 @@
{
imports = [
./pretix.nix
];
}

110
hosts/weinturm-pretix-prod/services/pretix.nix
View file

@ -1,110 +0,0 @@
{ config, lib, ... }:
let
cfg = config.services.pretix;
inherit (config.networking) ports;
domain = "tickets.weinturm-open-air.de";
extraDomains = [
"tickets.weinturm.jalr.de"
"tickets.wasted-openair.de"
"oel.wasted-openair.de"
"tickets.buendnis-gegen-rechts-nea.de"
];
gunicornWorkers = 4;
secretsFile = ../secrets.yaml;
in
{
sops.secrets = {
pretix-cfg = {
sopsFile = secretsFile;
};
pretix-banktool-cfg = {
sopsFile = secretsFile;
};
};
# Add user to `redis-pretix` group
# to grant access to /run/redis-pretix/redis.sock
users.users.pretix.extraGroups = [ "redis-pretix" ];
networking.firewall.allowedTCPPorts = [ 80 443 ];
security.acme = {
acceptTerms = true;
defaults.email = lib.mkForce "helfer@weinturm-open-air.de";
};
jalr.mailserver = {
enable = true;
fqdn = "tickets.weinturm-open-air.de";
relayPort = ports.postfix-relay.tcp;
domains = [
{
domain = "tickets.weinturm-open-air.de";
enableDKIM = false;
}
];
messageSizeLimit = 10 * 1024 * 1024;
users = [ ];
spam.enable = false;
};
services = {
pretix = {
enable = true;
settings = {
pretix = {
instance_name = "Digitaler Dienst GmbH";
url = "https://${domain}";
registration = false;
password_reset = true;
};
locale = {
default = "de";
timezone = "Europe/Berlin";
};
mail = {
from = "no-reply@tickets.weinturm-open-air.de";
};
redis.location = "unix:///run/redis-pretix/redis.sock?db=0";
celery.backend = "redis+socket:///run/redis-pretix/redis.sock?virtual_host=2";
celery.broker = "redis+socket:///run/redis-pretix/redis.sock?virtual_host=1";
};
nginx = {
enable = true;
inherit domain;
};
gunicorn = {
extraArgs = [
"--workers=${toString gunicornWorkers}"
];
};
};
pretix-banktool = {
enable = true;
days = 14;
secretsFile = config.sops.secrets.pretix-banktool-cfg.path;
};
nginx = lib.mkIf cfg.nginx.enable {
recommendedGzipSettings = true;
recommendedOptimisation = true;
recommendedProxySettings = true;
recommendedTlsSettings = true;
virtualHosts = {
"${cfg.nginx.domain}" = {
enableACME = true;
forceSSL = true;
kTLS = true;
extraConfig = ''
add_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload' always;
more_set_headers Referrer-Policy same-origin;
more_set_headers X-Content-Type-Options nosniff;
'';
serverAliases = extraDomains;
};
};
};
};
}