From 121dd0a1ec96947e2a97c7bb7ebdb63f51d514c2 Mon Sep 17 00:00:00 2001 From: lilly Date: Tue, 9 Jun 2026 21:42:26 +0200 Subject: [PATCH 1/2] add ueberwachungs-frei kundgebung site --- .../virtualHosts/default.nix | 1 + .../ueberwachungsfrei-kundgebung.nix | 77 +++++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100644 config/hosts/public-web-static/virtualHosts/ueberwachungsfrei-kundgebung.nix diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix index d1c1355..61008d2 100644 --- a/config/hosts/public-web-static/virtualHosts/default.nix +++ b/config/hosts/public-web-static/virtualHosts/default.nix @@ -27,5 +27,6 @@ ./diday.org.nix ./staging.diday.org.nix ./historic-easterhegg + ./ueberwachungsfrei-kundgebung.nix ]; } diff --git a/config/hosts/public-web-static/virtualHosts/ueberwachungsfrei-kundgebung.nix b/config/hosts/public-web-static/virtualHosts/ueberwachungsfrei-kundgebung.nix new file mode 100644 index 0000000..ddc5182 --- /dev/null +++ b/config/hosts/public-web-static/virtualHosts/ueberwachungsfrei-kundgebung.nix @@ -0,0 +1,77 @@ +{ pkgs, ... }: + +let + domain = "ueberwachungsfrei-kundgebung.hamburg.ccc.de"; + dataDir = "/var/www/${domain}"; + deployUser = "ueberwachungsfrei-deploy"; +in { + # TODO: Add proper domain once that is available + security.acme.certs."${domain}".extraDomainNames = [ ]; + + services.nginx.virtualHosts = { + "acme-${domain}" = { + enableACME = true; + serverName = "${domain}"; + serverAliases = [ + # TODO: Add proper domains here too + ]; + + listen = [ + { + addr = "[::]"; + port = 31820; + } + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + "${domain}" = { + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + root = "${dataDir}"; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${dataDir} 0755 ${deployUser} ${deployUser}" + ]; + + users.users."${deployUser}" = { + isNormalUser = true; + group = "${deployUser}"; + openssh.authorizedKeys.keys = [ + # TODO: Maybe add a deploy key if we want CI/CD + ]; + }; + users.groups."${deployUser}" = { }; +} From 0f22b1158ecbac1c6977e7729addaf637b2b34da Mon Sep 17 00:00:00 2001 From: lilly Date: Thu, 11 Jun 2026 14:45:19 +0200 Subject: [PATCH 2/2] move ueberwachungsfrei kundgebung page to own domain --- .../virtualHosts/ueberwachungsfrei-kundgebung.nix | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/config/hosts/public-web-static/virtualHosts/ueberwachungsfrei-kundgebung.nix b/config/hosts/public-web-static/virtualHosts/ueberwachungsfrei-kundgebung.nix index ddc5182..ce87788 100644 --- a/config/hosts/public-web-static/virtualHosts/ueberwachungsfrei-kundgebung.nix +++ b/config/hosts/public-web-static/virtualHosts/ueberwachungsfrei-kundgebung.nix @@ -1,19 +1,20 @@ { pkgs, ... }: let - domain = "ueberwachungsfrei-kundgebung.hamburg.ccc.de"; + domain = "ueberwachungsfrei.eu"; dataDir = "/var/www/${domain}"; deployUser = "ueberwachungsfrei-deploy"; in { - # TODO: Add proper domain once that is available - security.acme.certs."${domain}".extraDomainNames = [ ]; + security.acme.certs."${domain}".extraDomainNames = [ + "xn--berwachungsfrei-yvb.eu" + ]; services.nginx.virtualHosts = { "acme-${domain}" = { enableACME = true; serverName = "${domain}"; serverAliases = [ - # TODO: Add proper domains here too + "xn--berwachungsfrei-yvb.eu" ]; listen = [ @@ -31,6 +32,10 @@ in { "${domain}" = { forceSSL = true; useACMEHost = "${domain}"; + serverAliases = [ + "überwachungsfrei.eu" + "xn--berwachungsfrei-yvb.eu" + ]; listen = [ {