From 709afd0a1dfc14bbf213542bb4445d8cdb153892 Mon Sep 17 00:00:00 2001
From: June <june@jsts.xyz>
Date: Sun, 25 Jan 2026 20:44:07 +0100
Subject: [PATCH] Add cpu.ccc.de to static web host (under
 cpuccc.hamburg.ccc.de for now)

---
 .../virtualHosts/cpu.ccc.de.nix               | 87 +++++++++++++++++++
 .../virtualHosts/default.nix                  |  1 +
 2 files changed, 88 insertions(+)
 create mode 100644 config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix

diff --git a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix
new file mode 100644
index 0000000..d0d01f3
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix
@@ -0,0 +1,87 @@
+{ ... }:
+
+let
+  # For now under cpuccc.hamburg.ccc.de.
+  domain = "cpuccc.hamburg.ccc.de";
+  # dataDir = "/var/www/${domain}";
+  dataDir = "/var/www/cpu.ccc.de";
+  deployUser = "cpuccc-website-deploy";
+in
+{
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    # https://git.hamburg.ccc.de/CCCHH/cpu.ccc.de/src/branch/main/nginx.conf
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      extraConfig = ''
+        index index.html;
+        default_type text/plain;
+
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+
+        port_in_redirect off;
+      '';
+
+      locations."/" = {
+        tryFiles = "$uri $uri/ =404";
+
+        extraConfig = ''
+          location /feed/ {
+            default_type application/rss+xml;
+            types {
+              text/xml application/rss+xml;
+            }
+          }
+
+          location /rss {
+            default_type application/rss+xml;
+          }
+        '';
+      };
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  users.users."${deployUser}" = {
+    isNormalUser = true;
+    group = "${deployUser}";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOnO7g/7mVVKnvkszto8m3nPljO/6qQc/34aEbrhKOvn deploy key for cpu.ccc.de"
+    ];
+  };
+  users.groups."${deployUser}" = { };
+}
diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
index 793829a..3532c25 100644
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -4,6 +4,7 @@
   imports = [
     ./branding-resources.hamburg.ccc.de.nix
     ./c3cat.de.nix
+    ./cpu.ccc.de.nix
     ./cryptoparty-hamburg.de.nix
     ./element-admin.hamburg.ccc.de.nix
     ./element.hamburg.ccc.de.nix