From 7d7e45750f419098ce5673454d8bea09a8130f0c Mon Sep 17 00:00:00 2001 From: c6ristian Date: Tue, 24 Jun 2025 22:36:36 +0200 Subject: [PATCH 1/5] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:nixos/nixpkgs/fd487183437963a59ba763c0cc4f27e3447dd6dd' (2025-06-12) → 'github:nixos/nixpkgs/c7ab75210cb8cb16ddd8f290755d9558edde7ee1' (2025-06-22) • Updated input 'sops-nix': 'github:Mic92/sops-nix/8d215e1c981be3aa37e47aeabd4e61bb069548fd' (2025-05-18) → 'github:Mic92/sops-nix/77c423a03b9b2b79709ea2cb63336312e78b72e2' (2025-06-17) --- flake.lock | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/flake.lock b/flake.lock index d8bfc27..d14aa58 100644 --- a/flake.lock +++ b/flake.lock @@ -66,11 +66,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1749727998, - "narHash": "sha256-mHv/yeUbmL91/TvV95p+mBVahm9mdQMJoqaTVTALaFw=", + "lastModified": 1750622754, + "narHash": "sha256-kMhs+YzV4vPGfuTpD3mwzibWUE6jotw5Al2wczI0Pv8=", "owner": "nixos", "repo": "nixpkgs", - "rev": "fd487183437963a59ba763c0cc4f27e3447dd6dd", + "rev": "c7ab75210cb8cb16ddd8f290755d9558edde7ee1", "type": "github" }, "original": { @@ -95,11 +95,11 @@ ] }, "locked": { - "lastModified": 1747603214, - "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=", + "lastModified": 1750119275, + "narHash": "sha256-Rr7Pooz9zQbhdVxux16h7URa6mA80Pb/G07T4lHvh0M=", "owner": "Mic92", "repo": "sops-nix", - "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd", + "rev": "77c423a03b9b2b79709ea2cb63336312e78b72e2", "type": "github" }, "original": { From f541a5dd6aaabffc94f22bce00f532ea339f985c Mon Sep 17 00:00:00 2001 From: c6ristian Date: Fri, 18 Jul 2025 21:33:30 +0200 Subject: [PATCH 2/5] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixos-generators': 'github:nix-community/nixos-generators/ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc' (2025-05-19) → 'github:nix-community/nixos-generators/032decf9db65efed428afd2fa39d80f7089085eb' (2025-07-07) • Updated input 'nixpkgs': 'github:nixos/nixpkgs/c7ab75210cb8cb16ddd8f290755d9558edde7ee1' (2025-06-22) → 'github:nixos/nixpkgs/32a4e87942101f1c9f9865e04dc3ddb175f5f32e' (2025-07-15) • Updated input 'sops-nix': 'github:Mic92/sops-nix/77c423a03b9b2b79709ea2cb63336312e78b72e2' (2025-06-17) → 'github:Mic92/sops-nix/2c8def626f54708a9c38a5861866660395bb3461' (2025-07-15) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index d14aa58..2ab41bb 100644 --- a/flake.lock +++ b/flake.lock @@ -35,11 +35,11 @@ "nixpkgs": "nixpkgs" }, "locked": { - "lastModified": 1747663185, - "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=", + "lastModified": 1751903740, + "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", "owner": "nix-community", "repo": "nixos-generators", - "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc", + "rev": "032decf9db65efed428afd2fa39d80f7089085eb", "type": "github" }, "original": { @@ -66,11 +66,11 @@ }, "nixpkgs_2": { "locked": { - "lastModified": 1750622754, - "narHash": "sha256-kMhs+YzV4vPGfuTpD3mwzibWUE6jotw5Al2wczI0Pv8=", + "lastModified": 1752620740, + "narHash": "sha256-f3pO+9lg66mV7IMmmIqG4PL3223TYMlnlw+pnpelbss=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c7ab75210cb8cb16ddd8f290755d9558edde7ee1", + "rev": "32a4e87942101f1c9f9865e04dc3ddb175f5f32e", "type": "github" }, "original": { @@ -95,11 +95,11 @@ ] }, "locked": { - "lastModified": 1750119275, - "narHash": "sha256-Rr7Pooz9zQbhdVxux16h7URa6mA80Pb/G07T4lHvh0M=", + "lastModified": 1752544651, + "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=", "owner": "Mic92", "repo": "sops-nix", - "rev": "77c423a03b9b2b79709ea2cb63336312e78b72e2", + "rev": "2c8def626f54708a9c38a5861866660395bb3461", "type": "github" }, "original": { From 0383e604a42d9f03a4270c84e6da4b7ad5689aaa Mon Sep 17 00:00:00 2001 From: c6ristian Date: Sat, 19 Jul 2025 20:59:07 +0200 Subject: [PATCH 3/5] element update --- .../public-web-static/virtualHosts/element.hamburg.ccc.de.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix index 3c85954..d0da920 100644 --- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix @@ -1,10 +1,10 @@ { pkgs, ... }: let - elementWebVersion = "1.11.95"; + elementWebVersion = "1.11.106"; element-web = pkgs.fetchzip { url = "https://github.com/element-hq/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-Bs1oYfJ5xXNpQJL92U0/3s979DKfdSZsBo5febp4QGc="; + sha256 = "sha256-5E6za7G7Olia5VzOnBjYMeGJ2Xifqx+vDmCFgNLaRZo="; }; elementSecurityHeaders = '' # Configuration best practices From a0d0d24d91dfad6c33f286f43785778a801c1a1c Mon Sep 17 00:00:00 2001 From: c6ristian Date: Sun, 20 Jul 2025 20:35:02 +0200 Subject: [PATCH 4/5] sops updatekeys junes new key --- .sops.yaml | 11 +---------- 1 file changed, 1 insertion(+), 10 deletions(-) diff --git a/.sops.yaml b/.sops.yaml index 9a6ae2d..cc9178f 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -3,7 +3,7 @@ keys: - &admin_gpg_stb F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC - &admin_gpg_jtbx 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - &admin_gpg_yuri 87AB00D45D37C9E9167B5A5A333448678B60E505 - - &admin_gpg_june 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C + - &admin_gpg_june 057870A2C72CD82566A3EC983695F4FCBCAE4912 - &admin_gpg_haegar F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - &admin_gpg_dario 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD - &admin_gpg_echtnurich 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A @@ -32,7 +32,6 @@ creation_rules: - *admin_gpg_echtnurich - *admin_gpg_max - *admin_gpg_c6ristian - - *admin_gpg_dante age: - *host_age_git - path_regex: config/hosts/forgejo-actions-runner/.* @@ -48,7 +47,6 @@ creation_rules: - *admin_gpg_echtnurich - *admin_gpg_max - *admin_gpg_c6ristian - - *admin_gpg_dante age: - *host_age_forgejo_actions_runner - path_regex: config/hosts/matrix/.* @@ -64,7 +62,6 @@ creation_rules: - *admin_gpg_echtnurich - *admin_gpg_max - *admin_gpg_c6ristian - - *admin_gpg_dante age: - *host_age_matrix - path_regex: config/hosts/public-web-static/.* @@ -80,7 +77,6 @@ creation_rules: - *admin_gpg_echtnurich - *admin_gpg_max - *admin_gpg_c6ristian - - *admin_gpg_dante age: - *host_age_public_web_static - path_regex: config/hosts/mjolnir/.* @@ -96,7 +92,6 @@ creation_rules: - *admin_gpg_echtnurich - *admin_gpg_max - *admin_gpg_c6ristian - - *admin_gpg_dante age: - *host_age_mjolnir - path_regex: config/hosts/woodpecker/.* @@ -112,7 +107,6 @@ creation_rules: - *admin_gpg_echtnurich - *admin_gpg_max - *admin_gpg_c6ristian - - *admin_gpg_dante age: - *host_age_woodpecker - path_regex: config/hosts/penpot/.* @@ -128,7 +122,6 @@ creation_rules: - *admin_gpg_echtnurich - *admin_gpg_max - *admin_gpg_c6ristian - - *admin_gpg_dante age: - *host_age_penpot - path_regex: config/hosts/yate/.* @@ -144,7 +137,6 @@ creation_rules: - *admin_gpg_echtnurich - *admin_gpg_max - *admin_gpg_c6ristian - - *admin_gpg_dante age: - *host_age_yate - key_groups: @@ -159,7 +151,6 @@ creation_rules: - *admin_gpg_echtnurich - *admin_gpg_max - *admin_gpg_c6ristian - - *admin_gpg_dante stores: yaml: indent: 2 From 938adbd6f207ed8ba43048181c2c90a40c4e158f Mon Sep 17 00:00:00 2001 From: June Date: Wed, 23 Jul 2025 15:16:34 +0200 Subject: [PATCH 5/5] wip --- .../virtualHosts/cryptoparty-hamburg.de.nix | 64 +++++++++++++++++++ .../virtualHosts/default.nix | 2 + .../staging.cryptoparty-hamburg.de.nix | 61 ++++++++++++++++++ 3 files changed, 127 insertions(+) create mode 100644 config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix create mode 100644 config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix diff --git a/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix b/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix new file mode 100644 index 0000000..dd967aa --- /dev/null +++ b/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix @@ -0,0 +1,64 @@ +{ ... }: + +let + domain = "cryptoparty-hamburg.de"; + dataDir = "/var/www/cryptoparty-hamburg.de"; + deployUser = "cryptoparty-website-deploy"; +in +{ + services.nginx.virtualHosts = { + "acme-${domain}" = { + enableACME = true; + serverName = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + "${domain}" = { + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + root = "${dataDir}"; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + + error_page 404 /404.html; + ''; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${dataDir} 0755 ${deployUser} ${deployUser}" + ]; + + users.users."${deployUser}" = { + isNormalUser = true; + group = "${deployUser}"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICz+Lxi9scblM/SKJq4nl64UwvVn8SuF2xmzOuyQrzR+ deploy key for cryptoparty-hamburg.de" + ]; + }; + users.groups."${deployUser}" = { }; +} diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix index c9d77ef..59e69e6 100644 --- a/config/hosts/public-web-static/virtualHosts/default.nix +++ b/config/hosts/public-web-static/virtualHosts/default.nix @@ -4,12 +4,14 @@ imports = [ ./branding-resources.hamburg.ccc.de.nix ./c3cat.de.nix + ./cryptoparty-hamburg.de.nix ./element.hamburg.ccc.de.nix ./hacker.tours.nix ./hackertours.hamburg.ccc.de.nix ./hamburg.ccc.de.nix ./spaceapi.hamburg.ccc.de.nix ./staging.c3cat.de.nix + ./staging.cryptoparty-hamburg.de.nix ./staging.hacker.tours.nix ./staging.hackertours.hamburg.ccc.de.nix ./staging.hamburg.ccc.de.nix diff --git a/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix b/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix new file mode 100644 index 0000000..7d1ec9e --- /dev/null +++ b/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix @@ -0,0 +1,61 @@ +{ ... }: + +let + domain = "staging.cryptoparty-hamburg.de"; + dataDir = "/var/www/staging.cryptoparty-hamburg.de"; + deployUser = "cryptoparty-website-deploy"; +in +{ + services.nginx.virtualHosts = { + "acme-${domain}" = { + enableACME = true; + serverName = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + "${domain}" = { + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + root = "${dataDir}"; + + # Disallow *, since this is staging and doesn't need to be in any search + # results. + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: *\\n\""; + }; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${dataDir} 0755 ${deployUser} ${deployUser}" + ]; + + # Cryptoparty website deploy user already defined in cryptoparty-hamburg.de.nix. +}