From b0995784fc5a1dbc9ad843894ec2139375448f00 Mon Sep 17 00:00:00 2001
From: julian <julian@jsts.xyz>
Date: Wed, 25 Oct 2023 02:17:21 +0200
Subject: [PATCH] Add next.hamburg.ccc.de virtualHost config for hosting the
 new website

In the future next.hamburg.ccc.de might also be used for hosting website
builds of branches or MRs.
---
 .../virtualHosts/default.nix                  |  1 +
 .../virtualHosts/next.hamburg.ccc.de.nix      | 53 +++++++++++++++++++
 2 files changed, 54 insertions(+)
 create mode 100644 config/hosts/public-web-static/virtualHosts/next.hamburg.ccc.de.nix

diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
index dadf345..b4c4a06 100644
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -4,5 +4,6 @@
   imports = [
     ./branding-resources.hamburg.ccc.de.nix
     ./element.hamburg.ccc.de.nix
+    ./next.hamburg.ccc.de.nix
   ];
 }
diff --git a/config/hosts/public-web-static/virtualHosts/next.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/next.hamburg.ccc.de.nix
new file mode 100644
index 0000000..592d04a
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/next.hamburg.ccc.de.nix
@@ -0,0 +1,53 @@
+{ pkgs, ... }:
+
+{
+  services.nginx.virtualHosts = {
+    "acme-next.hamburg.ccc.de" = {
+      enableACME = true;
+      serverName = "next.hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "next.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "next.hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          extraParameters = [ "proxy_protocol" ];
+        }
+      ];
+
+      root = "/var/www/next.hamburg.ccc.de/";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+
+  users.users.ccchh-website-deploy = {
+    isNormalUser = true;
+    group = "ccchh-website-deploy";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILX847OMjYC+he1nbV37rrdCQVGINFY43CwLjZDM9iyb next.hamburg.ccc.de deployment key"
+    ];
+  };
+  users.groups.ccchh-website-deploy = { };
+}