diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix index f1ad527..91d3a40 100644 --- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix +++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix @@ -1,10 +1,19 @@ { pkgs, ... }: -{ +let + domain = "c3cat.de"; + dataDir = "/var/www/${domain}"; + deployUser = "c3cat-website-deploy"; +in { + security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ]; + services.nginx.virtualHosts = { - "acme-c3cat.de" = { + "acme-${domain}" = { enableACME = true; - serverName = "c3cat.de"; + serverName = "${domain}"; + serverAliases = [ + "www.${domain}" + ]; listen = [ { @@ -14,9 +23,9 @@ ]; }; - "c3cat.de" = { + "$www.${domain}" = { forceSSL = true; - useACMEHost = "c3cat.de"; + useACMEHost = "${domain}"; listen = [ { @@ -28,7 +37,7 @@ ]; locations."/" = { - return = "302 https://wiki.hamburg.ccc.de/club:c3cat:start"; + return = "302 https://c3cat.de$request_uri"; }; extraConfig = '' @@ -42,5 +51,45 @@ real_ip_header proxy_protocol; ''; }; + + "${domain}" = { + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + root = "${dataDir}"; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; }; + + systemd.tmpfiles.rules = [ + "d ${dataDir} 0755 ${deployUser} ${deployUser}" + ]; + + users.users."${deployUser}" = { + isNormalUser = true; + group = "${deployUser}"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcZJzQO4RYinJm6YDUgCELe8OJA/DYOss+8xp7TtxM0 deploy key for c3cat.de" + ]; + }; + users.groups."${deployUser}" = { }; } diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix index dac4fa4..c9d77ef 100644 --- a/config/hosts/public-web-static/virtualHosts/default.nix +++ b/config/hosts/public-web-static/virtualHosts/default.nix @@ -9,6 +9,7 @@ ./hackertours.hamburg.ccc.de.nix ./hamburg.ccc.de.nix ./spaceapi.hamburg.ccc.de.nix + ./staging.c3cat.de.nix ./staging.hacker.tours.nix ./staging.hackertours.hamburg.ccc.de.nix ./staging.hamburg.ccc.de.nix diff --git a/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix new file mode 100644 index 0000000..c91d283 --- /dev/null +++ b/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix @@ -0,0 +1,60 @@ +{ pkgs, ... }: + +let + domain = "staging.c3cat.de"; + dataDir = "/var/www/${domain}"; + deployUser = "c3cat-website-deploy"; +in { + services.nginx.virtualHosts = { + "acme-${domain}" = { + enableACME = true; + serverName = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + "${domain}" = { + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + root = "${dataDir}"; + + # Disallow *, since this is staging and doesn't need to be in any search + # results. + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: *\\n\""; + }; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${dataDir} 0755 ${deployUser} ${deployUser}" + ]; + + # c3cat deploy user already defined in c3cat.de.nix. +}