license this repo under the MIT license

All previous contributors are asked to sign off on licensing this repo
under the MIT license in PR 12
(#12). Once all
contributors signed-off, this commit will be merged into the main
branch and this repo will be licensed under the MIT license.

Don't track copyright years in the license, as that is cumbersome and
also not done in other projects anymore:
https://daniel.haxx.se/blog/2023/01/08/copyright-without-years/
https://github.com/rails/rails/pull/47467

MIT License:
https://opensource.org/license/MIT
https://choosealicense.com/licenses/mit/

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) CCCHH
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

README.md

@@ -62,3 +62,18 @@ This is exactly what we're doing to set the default deployment user to `colmena-
    };
    ```
    This secret would then be available under `/run/secrets/forgejo_git_smtp_password` on the host.
+
+## Build NixOS Proxmox VE Template
+
+Build a new NixOS Proxmox VE Template for the thinkcccore's:
+```shell
+nix build .#proxmox-nixos-template
+```
+Build a new NixOS Proxmox VE Template for the chaosknoten:
+```shell
+nix build .#proxmox-chaosknoten-nixos-template
+```
+
+## License
+
+This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).

config/common/users.nix

@@ -11,8 +11,8 @@
 let
   authorizedKeysRepo = pkgs.fetchgit {
     url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys";
-    rev = "b6a29dc7af0a45a8c0b4904290c7cb0c5bc51413";
-    hash = "sha256-c0aH0wQeJtfXJG5wAbS6aO8yILLI1NNkFAHAeOm8RXA=";
+    rev = "686a6af22f6696f0c0595c56f463c078550049fc";
+    hash = "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=";
   };
   authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
 in

config/hosts/git/forgejo.nix

@@ -45,6 +45,9 @@
         DEFAULT_USER_VISIBILITY = "limited";
         DEFAULT_KEEP_EMAIL_PRIVATE = true;
         ENABLE_BASIC_AUTHENTICATION = false;
+        ENABLE_NOTIFY_MAIL = true;
+        AUTO_WATCH_NEW_REPOS = false;
+        AUTO_WATCH_ON_CHANGES = false;
       };
       repo = {
         DEFAULT_REPO_UNITS = "repo.code,repo.issues,repo.pulls";

config/hosts/public-web-static/virtualHosts/c3cat.de.nix

@@ -1,10 +1,19 @@
 { pkgs, ... }:
 
-{
+let
+  domain = "c3cat.de";
+  dataDir = "/var/www/${domain}";
+  deployUser = "c3cat-website-deploy";
+in {
+  security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ];
+
   services.nginx.virtualHosts = {
-    "acme-c3cat.de" = {
+    "acme-${domain}" = {
       enableACME = true;
-      serverName = "c3cat.de";
+      serverName = "${domain}";
+      serverAliases = [
+        "www.${domain}"
+      ];
 
       listen = [
         {
@@ -14,9 +23,9 @@
       ];
     };
 
-    "c3cat.de" = {
+    "$www.${domain}" = {
       forceSSL = true;
-      useACMEHost = "c3cat.de";
+      useACMEHost = "${domain}";
 
       listen = [
         {
@@ -28,7 +37,7 @@
       ];
 
       locations."/" = {
-        return = "302 https://wiki.hamburg.ccc.de/club:c3cat:start";
+        return = "302 https://c3cat.de$request_uri";
       };
 
       extraConfig = ''
@@ -42,5 +51,45 @@
         real_ip_header proxy_protocol;
       '';
     };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
   };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  users.users."${deployUser}" = {
+    isNormalUser = true;
+    group = "${deployUser}";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcZJzQO4RYinJm6YDUgCELe8OJA/DYOss+8xp7TtxM0 deploy key for c3cat.de"
+    ];
+  };
+  users.groups."${deployUser}" = { };
 }

config/hosts/public-web-static/virtualHosts/default.nix

@@ -9,6 +9,7 @@
     ./hackertours.hamburg.ccc.de.nix
     ./hamburg.ccc.de.nix
     ./spaceapi.hamburg.ccc.de.nix
+    ./staging.c3cat.de.nix
     ./staging.hacker.tours.nix
     ./staging.hackertours.hamburg.ccc.de.nix
     ./staging.hamburg.ccc.de.nix

config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix

@@ -1,10 +1,10 @@
 { pkgs, ... }:
 
 let
-  elementWebVersion = "1.11.80";
+  elementWebVersion = "1.11.84";
   element-web = pkgs.fetchzip {
     url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-sudWmNehxGsbZTNirTkoWQ/Bln1DC1CI30wocw9VoH8=";
+    sha256 = "sha256-z2qaKKyUq2S/r3xUUU3ym0FgFbiQr6bcltuKvUMPbH4=";
   };
   elementSecurityHeaders = ''
     # Configuration best practices

config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix

@@ -0,0 +1,60 @@
+{ pkgs, ... }:
+
+let
+  domain = "staging.c3cat.de";
+  dataDir = "/var/www/${domain}";
+  deployUser = "c3cat-website-deploy";
+in {
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      # Disallow *, since this is staging and doesn't need to be in any search
+      # results.
+      locations."/robots.txt" = {
+        return = "200 \"User-agent: *\\nDisallow: *\\n\"";
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  # c3cat deploy user already defined in c3cat.de.nix.
+}

flake.lock

@@ -38,11 +38,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1730428893,
-        "narHash": "sha256-fLLUd2dO/Vnf96UDr8YPzerYi+n99l3S5yIUDnmcPBE=",
+        "lastModified": 1731133565,
+        "narHash": "sha256-tCErjTdCUWK06LzkcvwUM+3pyrrmdf8e0VDBBTgqznE=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "38edd08881ce4dc24056eec173b43587a93c990f",
+        "rev": "11f65b4b0405cff5b54c813626bddcf5435d7ad2",
         "type": "github"
       },
       "original": {
@@ -54,11 +54,11 @@
     },
     "nixpkgs-stable": {
       "locked": {
-        "lastModified": 1729973466,
-        "narHash": "sha256-knnVBGfTCZlQgxY1SgH0vn2OyehH9ykfF8geZgS95bk=",
+        "lastModified": 1730602179,
+        "narHash": "sha256-efgLzQAWSzJuCLiCaQUCDu4NudNlHdg2NzGLX5GYaEY=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "cd3e8833d70618c4eea8df06f95b364b016d4950",
+        "rev": "3c2f1c4ca372622cb2f9de8016c9a0b1cbd0f37c",
         "type": "github"
       },
       "original": {
@@ -70,11 +70,11 @@
     },
     "nixpkgs-unstable": {
       "locked": {
-        "lastModified": 1730449684,
-        "narHash": "sha256-Hlv3rTPxnO+DpKRXw9yjzERLdk05h7+fEbZxWM2taCw=",
+        "lastModified": 1731265036,
+        "narHash": "sha256-e5I+glVZwQvLT6WIeMFi0Mk+N/jkYauZ31ir2NRZcf8=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "ab464abbeb3a2833288c6e907488c49c2e599f88",
+        "rev": "8aed22ecd71e5b67e5299efae8b9dc580dec711c",
         "type": "github"
       },
       "original": {
@@ -100,11 +100,11 @@
         "nixpkgs-stable": "nixpkgs-stable"
       },
       "locked": {
-        "lastModified": 1729999681,
-        "narHash": "sha256-qm0uCtM9bg97LeJTKQ8dqV/FvqRN+ompyW4GIJruLuw=",
+        "lastModified": 1731213149,
+        "narHash": "sha256-jR8i6nFLmSmm0cIoeRQ8Q4EBARa3oGaAtEER/OMMxus=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "1666d16426abe79af5c47b7c0efa82fd31bf4c56",
+        "rev": "f1675e3b0e1e663a4af49be67ecbc9e749f85eb7",
         "type": "github"
       },
       "original": {