CCCHH/nix-infra
CCCHH/nix-infra
2
3
Fork 2
Code Issues 1 Pull requests 1 Wiki Activity

public-web-static: make c3cat.de and www work as well as staging

Browse source
This commit is contained in:
June 2024-11-12 23:06:01 +01:00
commit cf46da9df7
Signed by: june
SSH key fingerprint: SHA256:o9EAq4Y9N9K0pBQeBTqhSDrND5E7oB+60ZNx0U1yPe0
3 changed files with 116 additions and 6 deletions
Download patch file Download diff file Expand all files Collapse all files

61
config/hosts/public-web-static/virtualHosts/c3cat.de.nix
View file

@ -1,10 +1,19 @@
{ pkgs, ... }:
{
let
domain = "c3cat.de";
dataDir = "/var/www/${domain}";
deployUser = "c3cat-website-deploy";
in {
security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ];
services.nginx.virtualHosts = {
"acme-c3cat.de" = {
"acme-${domain}" = {
enableACME = true;
serverName = "c3cat.de";
serverName = "${domain}";
serverAliases = [
"www.${domain}"
];
listen = [
{
@ -14,9 +23,9 @@
];
};
"c3cat.de" = {
"$www.${domain}" = {
forceSSL = true;
useACMEHost = "c3cat.de";
useACMEHost = "${domain}";
listen = [
{
@ -28,7 +37,7 @@
];
locations."/" = {
return = "302 https://wiki.hamburg.ccc.de/club:c3cat:start";
return = "302 https://c3cat.de$request_uri";
};
extraConfig = ''
@ -42,5 +51,45 @@
real_ip_header proxy_protocol;
'';
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcZJzQO4RYinJm6YDUgCELe8OJA/DYOss+8xp7TtxM0 deploy key for c3cat.de"
];
};
users.groups."${deployUser}" = { };
}

1
config/hosts/public-web-static/virtualHosts/default.nix
View file

@ -9,6 +9,7 @@
./hackertours.hamburg.ccc.de.nix
./hamburg.ccc.de.nix
./spaceapi.hamburg.ccc.de.nix
./staging.c3cat.de.nix
./staging.hacker.tours.nix
./staging.hackertours.hamburg.ccc.de.nix
./staging.hamburg.ccc.de.nix

60
config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix Normal file
View file

@ -0,0 +1,60 @@
{ pkgs, ... }:
let
domain = "staging.c3cat.de";
dataDir = "/var/www/${domain}";
deployUser = "c3cat-website-deploy";
in {
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
# Disallow *, since this is staging and doesn't need to be in any search
# results.
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: *\\n\"";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
# c3cat deploy user already defined in c3cat.de.nix.
}