public-web-static: to not log ip addresses just disable the access_log

config/hosts/public-web-static/nginx.nix

@@ -1,7 +1,12 @@
 { ... }:
 
 {
-  services.nginx.enable = true;
+  services.nginx = {
+    enable = true;
+    appendHttpConfig = ''
+      access_log off;
+    '';
+  };
 
   networking.firewall.allowedTCPPorts = [ 8443 31820 ];
   networking.firewall.allowedUDPPorts = [ 8443 ];

config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix

@@ -1,13 +1,17 @@
 { ... }:
 
 let
-  # For now under cpuccc.hamburg.ccc.de.
-  domain = "cpuccc.hamburg.ccc.de";
-  # dataDir = "/var/www/${domain}";
-  dataDir = "/var/www/cpu.ccc.de";
+  domain = "cpu.ccc.de";
+  dataDir = "/var/www/${domain}";
   deployUser = "cpuccc-website-deploy";
 in
 {
+  security.acme.certs."cpu.ccc.de".extraDomainNames = [
+    "cpuccc.hamburg.ccc.de"
+    "lokal.ccc.de"
+    "local.ccc.de"
+  ];
+
   services.nginx.virtualHosts = {
     "acme-${domain}" = {
       enableACME = true;
@@ -70,6 +74,35 @@ in
         '';
       };
     };
+
+    "cpuccc.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "cpu.ccc.de";
+      serverAliases = [
+        "lokal.ccc.de"
+        "local.ccc.de"
+      ];
+
+      listen = [{
+        addr = "0.0.0.0";
+        port = 8443;
+        ssl = true;
+        proxyProtocol = true;
+      }];
+
+      locations."/".return = "302 https://cpu.ccc.de";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
   };
 
   systemd.tmpfiles.rules = [