CCCHH/nix-infra
CCCHH/nix-infra
2
3
Fork 3
Code Issues Pull requests 2 Wiki Activity

configure diday website dpeloyment

Browse source
This commit is contained in:
lilly 2026-02-17 22:56:53 +01:00
commit be8581c2d0
Signed by: lilly
SSH key fingerprint: SHA256:y9T5GFw2A20WVklhetIxG1+kcg/Ce0shnQmbu1LQ37g
6 changed files with 170 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

29
config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix
View file

@ -15,6 +15,29 @@
tokenFile = "/run/secrets/forgejo_actions_runner_registration_token"; tokenFile = "/run/secrets/forgejo_actions_runner_registration_token";
labels = [ "docker:docker://node:current-bookworm" ]; labels = [ "docker:docker://node:current-bookworm" ];
settings = { settings = {
cache = {
proxy_port = 45540;
};
runner = {
capacity = 4;
};
};
};
instances.ccchh-codeberg-org-diday = {
enable = true;
name = "ccchh runner for codeberg.org/di-day";
url = "https://codeberg.org/";
tokenFile = "/run/secrets/codeberg_org_diday_runner_registration_token";
labels = [
"docker:docker://node:current-bookworm"
"debian-latest:docker://node:current-bookworm"
"alpine-latest:docker://node:current-alpine"
];
settings = {
cache = {
proxy_port = 45541;
};
runner = { runner = {
capacity = 4; capacity = 4;
}; };
@ -28,4 +51,10 @@
group = "root"; group = "root";
restartUnits = [ "gitea-runner-ccchh\\x2dforgejo\\x2dglobal\\x2ddocker.service" ]; restartUnits = [ "gitea-runner-ccchh\\x2dforgejo\\x2dglobal\\x2ddocker.service" ];
}; };
sops.secrets."codeberg_org_diday_runner_registration_token" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "gitea-runner-ccchh\\x2dcodeberg\\x2dorg\\x2ddiday.service" ];
};
} }

11
config/hosts/forgejo-actions-runner/networking.nix
View file

@ -1,6 +1,8 @@
{ ... }: { lib, config, ... }:
let
{ runnerInstances = lib.attrValues config.services.gitea-actions-runner.instances;
runnerCachePorts = lib.map (i: i.settings.cache.proxy_port) runnerInstances;
in {
networking = { networking = {
interfaces.net0 = { interfaces.net0 = {
ipv4.addresses = [ ipv4.addresses = [
@ -19,4 +21,7 @@
matchConfig.MACAddress = "1E:E0:4E:D0:DA:BE"; matchConfig.MACAddress = "1E:E0:4E:D0:DA:BE";
linkConfig.Name = "net0"; linkConfig.Name = "net0";
}; };
# open ports for runner cache proxy so that we can use the cache action
networking.firewall.allowedTCPPorts = runnerCachePorts;
} }

7
config/hosts/forgejo-actions-runner/secrets.yaml
View file

@ -1,4 +1,5 @@
forgejo_actions_runner_registration_token: ENC[AES256_GCM,data:gAR2ffrffeuuaOwO6mWcif2e6csKIVoLqrux19iBlrTkFHgo/IlHVL0eSUGqnw==,iv:i12yx/quwT9kj6fPECszo/iG9cVhKX+7dAA6/N09URc=,tag:eO+mWhumgvWzQxYqiRUXbA==,type:str] forgejo_actions_runner_registration_token: ENC[AES256_GCM,data:gAR2ffrffeuuaOwO6mWcif2e6csKIVoLqrux19iBlrTkFHgo/IlHVL0eSUGqnw==,iv:i12yx/quwT9kj6fPECszo/iG9cVhKX+7dAA6/N09URc=,tag:eO+mWhumgvWzQxYqiRUXbA==,type:str]
codeberg_org_diday_runner_registration_token: ENC[AES256_GCM,data:thTsLo/eXVPbXt4b8ldae+kGnOR4GbYKOqr1hVJgaL7wZ5GgqWSPcOuhow96Jw==,iv:Fzi+DsKj+4PrwQGEosUntm9l7s78NwzhkmF6e/sfF+s=,tag:oa7mnbGR0J5xi9ruCgRJtQ==,type:str]
sops: sops:
age: age:
- recipient: age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d - recipient: age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d
@ -19,8 +20,8 @@ sops:
TklLZWM0cDBKaGJJM2tQQWRLZXhFYU0Ko7cyvzMvwlGCCP3UAX1+5uTI4srhZ5l9 TklLZWM0cDBKaGJJM2tQQWRLZXhFYU0Ko7cyvzMvwlGCCP3UAX1+5uTI4srhZ5l9
DPaHySiC+rLy+8R9UqEuTKbP4/Aw4NZ/UcfjNnVkqqqNJIODmLoOhg== DPaHySiC+rLy+8R9UqEuTKbP4/Aw4NZ/UcfjNnVkqqqNJIODmLoOhg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-05-26T00:29:52Z" lastmodified: "2026-02-18T09:51:37Z"
mac: ENC[AES256_GCM,data:c0261ungapxYViyviTpNsSJZs6OMQ8fyHNqBpvTBp9jEEbbvJBSbqJtwJvVDg8Kv3xrZjC0jZSQOWkvYJlb2PFuW2/GXy5YpLCo7k3ZhXhUbotsDFPe30bvfVxZWhMpaS2rEXlxCqHeVmqoslL34jpLuFx04FmoBh91yjDMoiTw=,iv:njo4Bu4FzAbU6t7CSbqw7hcJ960oqsIKuV/qUGF8c1I=,tag:dzFxW8vyZsDFkd/ARkt5jw==,type:str] mac: ENC[AES256_GCM,data:4fWsE3U6WxRqlKHKC4ipE+RQ7MPjiZZcTFMSblxty7JjJHAdKUHbthFB+R8gIWxZEjX5WG+IPgUP+AcCLSI9fdcXMqIFMuDun2hiktwqxzLPGYAoCXdTBAd1uCUagvB/rFty6y8umD4J5ITgEGba9pvGdUcng9WVRV+LGDftS1g=,iv:tD9tlcylQWapNCARxPXrKofZXf2BHTt2c4PQqFNj6X8=,tag:pQ8lOqJEFCcCcJot3BYTmQ==,type:str]
pgp: pgp:
- created_at: "2026-02-17T22:21:57Z" - created_at: "2026-02-17T22:21:57Z"
enc: |- enc: |-
@ -145,4 +146,4 @@ sops:
-----END PGP MESSAGE----- -----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.8.1 version: 3.11.0

2
config/hosts/public-web-static/virtualHosts/default.nix
View file

@ -18,6 +18,8 @@
./staging.hackertours.hamburg.ccc.de.nix ./staging.hackertours.hamburg.ccc.de.nix
./staging.hamburg.ccc.de.nix ./staging.hamburg.ccc.de.nix
./www.hamburg.ccc.de.nix ./www.hamburg.ccc.de.nix
./staging.did.hamburg.ccc.de.nix
./did.hamburg.ccc.de.nix
./historic-easterhegg ./historic-easterhegg
]; ];
} }

68
config/hosts/public-web-static/virtualHosts/did.hamburg.ccc.de.nix Normal file
View file

@ -0,0 +1,68 @@
{ ... }:
let
domain = "did.hamburg.ccc.de";
dataDir = "/var/www/${domain}";
deployUser = "diday-website-deploy";
in
{
# security.acme.certs."${domain}".extraDomainNames = [];
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
error_page 404 /404.html;
port_in_redirect off;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBitESG5AvHnHLPo+kdsV5l+wzSTqCltkk0IFAWGqBcl codeberg-actions-runner"
];
};
users.groups."${deployUser}" = { };
}

59
config/hosts/public-web-static/virtualHosts/staging.did.hamburg.ccc.de.nix Normal file
View file

@ -0,0 +1,59 @@
{ ... }:
let
domain = "staging.did.hamburg.ccc.de";
dataDir = "/var/www/${domain}";
deployUser = "diday-website-deploy";
in
{
# security.acme.certs."${domain}".extraDomainNames = [];
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
error_page 404 /404.html;
port_in_redirect off;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
}