From 3e3cedd35770d358ea523559853d7440e834040a Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Tue, 24 Feb 2026 16:28:58 +0100
Subject: [PATCH 1/2] add www2 and www3 hosts

---
 inventories/chaosknoten/hosts.yaml | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/inventories/chaosknoten/hosts.yaml b/inventories/chaosknoten/hosts.yaml
index e7f0559..7bf4544 100644
--- a/inventories/chaosknoten/hosts.yaml
+++ b/inventories/chaosknoten/hosts.yaml
@@ -86,6 +86,14 @@ all:
       ansible_host: acmedns.hosts.hamburg.ccc.de
       ansible_user: chaos
       ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+    www2:
+      ansible_host: www2.hosts.hamburg.ccc.de
+      ansible_user: chaos
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
+    www3:
+      ansible_host: www3.hosts.hamburg.ccc.de
+      ansible_user: chaos
+      ansible_ssh_common_args: -J ssh://chaos@router.hamburg.ccc.de
 hypervisors:
   hosts:
     chaosknoten:
@@ -113,6 +121,8 @@ base_config_hosts:
     renovate:
     spaceapiccc:
     mjolnir:
+    www2:
+    www3:
 systemd_networkd_hosts:
   hosts:
     router:
@@ -158,6 +168,8 @@ nginx_hosts:
     ntfy:
     sunders:
     spaceapiccc:
+    www2:
+    www3:
 public_reverse_proxy_hosts:
   hosts:
     public-reverse-proxy:
@@ -200,6 +212,8 @@ alloy_hosts:
     router:
     sunders:
     spaceapiccc:
+    www2:
+    www3:
 infrastructure_authorized_keys_hosts:
   hosts:
     ccchoir:
@@ -221,6 +235,8 @@ infrastructure_authorized_keys_hosts:
     renovate:
     spaceapiccc:
     mjolnir:
+    www2:
+    www3:
 wiki_hosts:
   hosts:
     eh22-wiki:
@@ -253,6 +269,8 @@ ansible_pull_hosts:
     ntfy:
     spaceapiccc:
     mjolnir:
+    # www2:
+    # www3:
 msmtp_hosts:
   hosts:
 renovate_hosts:

From 41dc9c8529a3ec2c768afa0754a5bf819a33a6d7 Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Tue, 24 Feb 2026 17:01:25 +0100
Subject: [PATCH 2/2] configure www2 nginx

---
 inventories/chaosknoten/host_vars/www2.yaml   |  5 ++
 .../chaosknoten/www2/nginx/diday.org.conf     | 80 +++++++++++++++++++
 2 files changed, 85 insertions(+)
 create mode 100644 inventories/chaosknoten/host_vars/www2.yaml
 create mode 100644 resources/chaosknoten/www2/nginx/diday.org.conf

diff --git a/inventories/chaosknoten/host_vars/www2.yaml b/inventories/chaosknoten/host_vars/www2.yaml
new file mode 100644
index 0000000..a8a9ce8
--- /dev/null
+++ b/inventories/chaosknoten/host_vars/www2.yaml
@@ -0,0 +1,5 @@
+nginx__version_spec: ""
+nginx__configurations:
+  - name: diday.org
+    content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/www2/nginx/diday.org.conf') }}"
+
diff --git a/resources/chaosknoten/www2/nginx/diday.org.conf b/resources/chaosknoten/www2/nginx/diday.org.conf
new file mode 100644
index 0000000..8cc655c
--- /dev/null
+++ b/resources/chaosknoten/www2/nginx/diday.org.conf
@@ -0,0 +1,80 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+
+    server_name diday.org;
+
+    # use our router as resolver
+    resolver 10.31.208.1;
+
+    # configure the ngx_http_realip_module to set $remote_addr and $remote_port to the
+    # information passed through from public-reverse-proxy.hamburg.ccc.de via proxy-protocol
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    real_ip_header proxy_protocol;
+
+    # configure tls trustchain
+    ssl_certificate /dev/null;
+    ssl_certificate_key /dev/null;
+    ssl_trusted_certificate /dev/null;
+
+    #
+    # configure site
+    #
+    root /var/www/diday.org;
+    error_page 404 /404.html;
+    index index.html;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+    # return a redirect based on the map loaded from the webroot
+    if ($did_redirect_target ~ ^301:(.*)$) {
+      return 301 $1;
+    }
+    if ($did_redirect_target ~ ^302:(.*)$) {
+      return 302 $1;
+    }
+
+    # deny access to the redirects config file
+    location = /nginx-redirects.conf {
+      deny all;
+      return 404;
+    }
+
+    # dynamically redirect the user to the language they prefer
+    location = / {
+      set $lang "de";
+      if ($http_accept_language ~* "^en") {
+        set $lang "en";
+      }
+      return 302 /$lang/;
+    }
+
+    # configure decap-cms content-type and caching rules
+    location = /admin/cms.js {
+      expires -1;
+      add_header Cache-Control "no-store";
+    }
+    location = /admin/config.yml {
+      expires -1;
+      add_header Cache-Control "no-store";
+      types { }
+      default_type text/yaml;
+    }
+
+    # configure asset caching
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+
+    # we are using the Astro Image Pipeline, therefore DecapCMS can't access image previews
+    location /admin/src/ {
+        log_not_found off;
+        return 404;
+    }
+
+    location / {
+      try_files $uri $uri/ =404;
+    }
+}
+