From 121dd0a1ec96947e2a97c7bb7ebdb63f51d514c2 Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Tue, 9 Jun 2026 21:42:26 +0200
Subject: [PATCH] add ueberwachungs-frei kundgebung site

---
 .../virtualHosts/default.nix                  |  1 +
 .../ueberwachungsfrei-kundgebung.nix          | 77 +++++++++++++++++++
 2 files changed, 78 insertions(+)
 create mode 100644 config/hosts/public-web-static/virtualHosts/ueberwachungsfrei-kundgebung.nix

diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
index d1c1355..61008d2 100644
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -27,5 +27,6 @@
     ./diday.org.nix
     ./staging.diday.org.nix
     ./historic-easterhegg
+    ./ueberwachungsfrei-kundgebung.nix
   ];
 }
diff --git a/config/hosts/public-web-static/virtualHosts/ueberwachungsfrei-kundgebung.nix b/config/hosts/public-web-static/virtualHosts/ueberwachungsfrei-kundgebung.nix
new file mode 100644
index 0000000..ddc5182
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/ueberwachungsfrei-kundgebung.nix
@@ -0,0 +1,77 @@
+{ pkgs, ... }:
+
+let
+  domain = "ueberwachungsfrei-kundgebung.hamburg.ccc.de";
+  dataDir = "/var/www/${domain}";
+  deployUser = "ueberwachungsfrei-deploy";
+in {
+  # TODO: Add proper domain once that is available
+  security.acme.certs."${domain}".extraDomainNames = [ ];
+
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+      serverAliases = [
+        # TODO: Add proper domains here too
+      ];
+
+      listen = [
+        {
+          addr = "[::]";
+          port = 31820;
+        }
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "[::]";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  users.users."${deployUser}" = {
+    isNormalUser = true;
+    group = "${deployUser}";
+    openssh.authorizedKeys.keys = [
+      # TODO: Maybe add a deploy key if we want CI/CD
+    ];
+  };
+  users.groups."${deployUser}" = { };
+}