public-web-static: setup cpu.ccc.de with redirects from aliases

2026-01-27 15:36:23 +01:00 · 2026-01-27 15:36:23 +01:00 · 193ccedbee
commit 193ccedbee
parent 709afd0a1d
1 changed files with 37 additions and 4 deletions
--- a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix
@ -1,13 +1,17 @@
 { ... }:

 let
-  # For now under cpuccc.hamburg.ccc.de.
-  domain = "cpuccc.hamburg.ccc.de";
-  # dataDir = "/var/www/${domain}";
-  dataDir = "/var/www/cpu.ccc.de";
+  domain = "cpu.ccc.de";
+  dataDir = "/var/www/${domain}";
  deployUser = "cpuccc-website-deploy";
 in
 {
+  security.acme.certs."cpu.ccc.de".extraDomainNames = [
+    "cpuccc.hamburg.ccc.de"
+    "lokal.ccc.de"
+    "local.ccc.de"
+  ];
+
  services.nginx.virtualHosts = {
    "acme-${domain}" = {
      enableACME = true;
@ -70,6 +74,35 @@ in
        '';
      };
    };
+
+    "cpuccc.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "cpu.ccc.de";
+      serverAliases = [
+        "lokal.ccc.de"
+        "local.ccc.de"
+      ];
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/".return = "302 https://cpu.ccc.de";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
  };

  systemd.tmpfiles.rules = [