configure diday.org on public-static-web

2026-02-26 18:01:34 +01:00 · 2026-02-26 18:01:34 +01:00 · 99efc60fce
commit 99efc60fce
parent a8229bfd0d
3 changed files with 144 additions and 124 deletions
--- a/config/hosts/public-web-static/virtualHosts/diday.org.nix
+++ b/config/hosts/public-web-static/virtualHosts/diday.org.nix
@ -0,0 +1,143 @@
+{ ... }:
+
+let
+  domain = "diday.org";
+  dataDir = "/var/www/${domain}";
+  deployUser = "diday-website-deploy";
+in
+{
+  security.acme.certs."${domain}".extraDomainNames = [
+    "did.hamburg.ccc.de"
+  ];
+
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "did.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      extraConfig = ''
+        return 301 https://diday.org;
+      '';
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+
+        error_page 404 /404.html;
+
+        port_in_redirect off;
+
+        index index.html;
+
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+        # return a redirect based on the map loaded from the webroot
+        if ($did_redirect_target ~ ^301:(.*)$) {
+          return 301 $1;
+        }
+        if ($did_redirect_target ~ ^302:(.*)$) {
+          return 302 $1;
+        }
+
+        # deny access to the redirects config file
+        location = /nginx-redirects.conf {
+          deny all;
+          return 404;
+        }
+
+        # dynamically redirect the user to the language they prefer
+        location = / {
+          set $lang "de";
+          if ($http_accept_language ~* "^en") {
+            set $lang "en";
+          }
+          return 302 /$lang/;
+        }
+
+        # configure decap-cms content-type and caching rules
+        location = /admin/cms.js {
+          expires -1;
+          add_header Cache-Control "no-store";
+        }
+        location = /admin/config.yml {
+          expires -1;
+          add_header Cache-Control "no-store";
+          types { }
+          default_type text/yaml;
+        }
+
+        # configure asset caching
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
+            expires 1y;
+            add_header Cache-Control "public, immutable";
+        }
+
+        # we are using the Astro Image Pipeline, therefore DecapCMS can't access image previews
+        location /admin/src/ {
+            log_not_found off;
+            return 404;
+        }
+
+        location / {
+          try_files $uri $uri/ =404;
+        }
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  users.users."${deployUser}" = {
+    isNormalUser = true;
+    group = "${deployUser}";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBitESG5AvHnHLPo+kdsV5l+wzSTqCltkk0IFAWGqBcl codeberg-actions-runner"
+    ];
+  };
+  users.groups."${deployUser}" = { };
+}