From 6ac55fe4a2f1454ffc70f372997b727904838738 Mon Sep 17 00:00:00 2001 From: June Date: Sat, 4 Apr 2026 17:21:39 +0200 Subject: [PATCH 01/12] fix ports in redirects --- config/hosts/public-web-static/virtualHosts/docs.c3voc.de.nix | 2 ++ .../public-web-static/virtualHosts/staging.docs.c3voc.de.nix | 2 ++ 2 files changed, 4 insertions(+) diff --git a/config/hosts/public-web-static/virtualHosts/docs.c3voc.de.nix b/config/hosts/public-web-static/virtualHosts/docs.c3voc.de.nix index a91edc1..5c257da 100644 --- a/config/hosts/public-web-static/virtualHosts/docs.c3voc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/docs.c3voc.de.nix @@ -42,6 +42,8 @@ in { # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; + + port_in_redirect off; ''; }; }; diff --git a/config/hosts/public-web-static/virtualHosts/staging.docs.c3voc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.docs.c3voc.de.nix index 5b3d387..2170f8c 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.docs.c3voc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/staging.docs.c3voc.de.nix @@ -48,6 +48,8 @@ in { # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; + + port_in_redirect off; ''; }; }; From d1ef492f93f18809a80266ab9e9a33af465caf5d Mon Sep 17 00:00:00 2001 From: June Date: Sat, 11 Apr 2026 20:44:22 +0200 Subject: [PATCH 02/12] establish c3dog.de and staging as their own websites --- .../virtualHosts/c3dog.de.nix | 11 +++- .../virtualHosts/default.nix | 1 + .../virtualHosts/staging.c3dog.de.nix | 60 +++++++++++++++++++ 3 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 config/hosts/public-web-static/virtualHosts/staging.c3dog.de.nix diff --git a/config/hosts/public-web-static/virtualHosts/c3dog.de.nix b/config/hosts/public-web-static/virtualHosts/c3dog.de.nix index 3589418..16fedd5 100644 --- a/config/hosts/public-web-static/virtualHosts/c3dog.de.nix +++ b/config/hosts/public-web-static/virtualHosts/c3dog.de.nix @@ -3,7 +3,7 @@ let domain = "c3dog.de"; dataDir = "/var/www/${domain}"; - deployUser = "c3cat-website-deploy"; + deployUser = "c3dog-website-deploy"; in { security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ]; @@ -83,4 +83,13 @@ in { systemd.tmpfiles.rules = [ "d ${dataDir} 0755 ${deployUser} ${deployUser}" ]; + + users.users."${deployUser}" = { + isNormalUser = true; + group = "${deployUser}"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB7iXsVArl4SbDczb4U3zGkZCiVO/lfn12gkOEOnKmEX deploy key for c3dog.de" + ]; + }; + users.groups."${deployUser}" = { }; } diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix index dfac565..404ca35 100644 --- a/config/hosts/public-web-static/virtualHosts/default.nix +++ b/config/hosts/public-web-static/virtualHosts/default.nix @@ -15,6 +15,7 @@ ./hamburg.ccc.de.nix ./spaceapi.hamburg.ccc.de.nix ./staging.c3cat.de.nix + ./staging.c3dog.de.nix ./staging.cryptoparty-hamburg.de.nix ./staging.docs.c3voc.de.nix ./staging.hacker.tours.nix diff --git a/config/hosts/public-web-static/virtualHosts/staging.c3dog.de.nix b/config/hosts/public-web-static/virtualHosts/staging.c3dog.de.nix new file mode 100644 index 0000000..d69ad2b --- /dev/null +++ b/config/hosts/public-web-static/virtualHosts/staging.c3dog.de.nix @@ -0,0 +1,60 @@ +{ pkgs, ... }: + +let + domain = "staging.c3dog.de"; + dataDir = "/var/www/${domain}"; + deployUser = "c3dog-website-deploy"; +in { + services.nginx.virtualHosts = { + "acme-${domain}" = { + enableACME = true; + serverName = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + "${domain}" = { + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + root = "${dataDir}"; + + # Disallow *, since this is staging and doesn't need to be in any search + # results. + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: *\\n\""; + }; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${dataDir} 0755 ${deployUser} ${deployUser}" + ]; + + # c3dog deploy user already defined in c3dog.de.nix. +} From fe27dba7fd05eead48988013be453aafb63d07c2 Mon Sep 17 00:00:00 2001 From: June Date: Mon, 27 Apr 2026 18:41:38 +0200 Subject: [PATCH 03/12] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:nixos/nixpkgs/bcd464ccd2a1a7cd09aa2f8d4ffba83b761b1d0e' (2026-04-01) → 'github:nixos/nixpkgs/a4bf06618f0b5ee50f14ed8f0da77d34ecc19160' (2026-04-25) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/8d8c1fa5b412c223ffa47410867813290cdedfef' (2026-04-02) → 'github:nixos/nixpkgs/01fbdeef22b76df85ea168fbfe1bfd9e63681b30' (2026-04-23) • Updated input 'sops-nix': 'github:Mic92/sops-nix/8f093d0d2f08f37317778bd94db5951d6cce6c46' (2026-04-03) → 'github:Mic92/sops-nix/bef289e2248991f7afeb95965c82fbcd8ff72598' (2026-04-21) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 8f672b0..ed279ac 100644 --- a/flake.lock +++ b/flake.lock @@ -19,11 +19,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1775002709, - "narHash": "sha256-d3Yx83vSrN+2z/loBh4mJpyRqr9aAJqlke4TkpFmRJA=", + "lastModified": 1777077449, + "narHash": "sha256-AIiMJiqvGrN4HyLEbKAoCSRRYn0rnlW5VbKNIMIYqm4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "bcd464ccd2a1a7cd09aa2f8d4ffba83b761b1d0e", + "rev": "a4bf06618f0b5ee50f14ed8f0da77d34ecc19160", "type": "github" }, "original": { @@ -35,11 +35,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1775126147, - "narHash": "sha256-J0dZU4atgcfo4QvM9D92uQ0Oe1eLTxBVXjJzdEMQpD0=", + "lastModified": 1776949667, + "narHash": "sha256-GMSVw35Q+294GlrTUKlx087E31z7KurReQ1YHSKp5iw=", "owner": "nixos", "repo": "nixpkgs", - "rev": "8d8c1fa5b412c223ffa47410867813290cdedfef", + "rev": "01fbdeef22b76df85ea168fbfe1bfd9e63681b30", "type": "github" }, "original": { @@ -64,11 +64,11 @@ ] }, "locked": { - "lastModified": 1775188331, - "narHash": "sha256-/0BoSi0Dg0ON7IW0oscM12WSPBaMSCn36XTt0lHZoy8=", + "lastModified": 1776771786, + "narHash": "sha256-DRFGPfFV6hbrfO9a1PH1FkCi7qR5FgjSqsQGGvk1rdI=", "owner": "Mic92", "repo": "sops-nix", - "rev": "8f093d0d2f08f37317778bd94db5951d6cce6c46", + "rev": "bef289e2248991f7afeb95965c82fbcd8ff72598", "type": "github" }, "original": { From dd2f3178db2cdc5728e31387e35cd2496ea101ae Mon Sep 17 00:00:00 2001 From: June Date: Tue, 28 Apr 2026 23:30:00 +0200 Subject: [PATCH 04/12] public-web-static(host): move to new network and to v6 --- .../hosts/public-web-static/configuration.nix | 5 +- config/hosts/public-web-static/networking.nix | 8 +-- .../branding-resources.hamburg.ccc.de.nix | 10 ++++ .../virtualHosts/c3cat.de.nix | 16 ++++++ .../virtualHosts/c3dog.de.nix | 16 ++++++ .../virtualHosts/cpu.ccc.de.nix | 30 ++++++++-- .../virtualHosts/cryptoparty-hamburg.de.nix | 16 ++++++ .../virtualHosts/diday.org.nix | 16 ++++++ .../virtualHosts/docs.c3voc.de.nix | 10 ++++ .../element-admin.hamburg.ccc.de.nix | 10 ++++ .../virtualHosts/element.hamburg.ccc.de.nix | 10 ++++ .../virtualHosts/hacker.tours.nix | 12 +++- .../hackertours.hamburg.ccc.de.nix | 10 ++++ .../virtualHosts/hamburg.ccc.de.nix | 10 ++++ .../virtualHosts/historic-easterhegg/eh03.nix | 56 +++++++++++++------ .../virtualHosts/historic-easterhegg/eh05.nix | 56 +++++++++++++------ .../virtualHosts/historic-easterhegg/eh07.nix | 56 +++++++++++++------ .../virtualHosts/historic-easterhegg/eh09.nix | 56 +++++++++++++------ .../virtualHosts/historic-easterhegg/eh11.nix | 56 +++++++++++++------ .../virtualHosts/historic-easterhegg/eh20.nix | 54 ++++++++++++------ .../virtualHosts/spaceapi.hamburg.ccc.de.nix | 10 ++++ .../virtualHosts/staging.c3cat.de.nix | 10 ++++ .../virtualHosts/staging.c3dog.de.nix | 10 ++++ .../staging.cryptoparty-hamburg.de.nix | 16 ++++++ .../virtualHosts/staging.diday.org.nix | 6 ++ .../virtualHosts/staging.docs.c3voc.de.nix | 10 ++++ .../virtualHosts/staging.hacker.tours.nix | 10 ++++ .../staging.hackertours.hamburg.ccc.de.nix | 10 ++++ .../virtualHosts/staging.hamburg.ccc.de.nix | 10 ++++ .../virtualHosts/www.hamburg.ccc.de.nix | 10 ++++ deployment_configuration.json | 3 - 31 files changed, 502 insertions(+), 116 deletions(-) diff --git a/config/hosts/public-web-static/configuration.nix b/config/hosts/public-web-static/configuration.nix index 9e2aebc..a8e5f29 100644 --- a/config/hosts/public-web-static/configuration.nix +++ b/config/hosts/public-web-static/configuration.nix @@ -1,7 +1,10 @@ { ... }: { - networking.hostName = "public-web-static"; + networking = { + hostName = "public-web-static"; + domain = "hosts.hamburg.ccc.de"; + }; system.stateVersion = "23.05"; } diff --git a/config/hosts/public-web-static/networking.nix b/config/hosts/public-web-static/networking.nix index cb22d40..2758338 100644 --- a/config/hosts/public-web-static/networking.nix +++ b/config/hosts/public-web-static/networking.nix @@ -3,14 +3,14 @@ { networking = { interfaces.net0 = { - ipv4.addresses = [ + ipv6.addresses = [ { - address = "172.31.17.151"; - prefixLength = 25; + address = "2a00:14b0:42:102::17"; + prefixLength = 64; } ]; }; - defaultGateway = "172.31.17.129"; + defaultGateway6 = "2a00:14b0:42:102::1"; nameservers = [ "212.12.50.158" "192.76.134.90" ]; search = [ "hamburg.ccc.de" ]; }; diff --git a/config/hosts/public-web-static/virtualHosts/branding-resources.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/branding-resources.hamburg.ccc.de.nix index a28f77c..edeca47 100644 --- a/config/hosts/public-web-static/virtualHosts/branding-resources.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/branding-resources.hamburg.ccc.de.nix @@ -14,6 +14,10 @@ in serverName = "branding-resources.hamburg.ccc.de"; listen = [ + { + addr = "[::]"; + port = 31820; + } { addr = "0.0.0.0"; port = 31820; @@ -26,6 +30,12 @@ in useACMEHost = "branding-resources.hamburg.ccc.de"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix index 95f9b59..54b7462 100644 --- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix +++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix @@ -16,6 +16,10 @@ in { ]; listen = [ + { + addr = "[::]"; + port = 31820; + } { addr = "0.0.0.0"; port = 31820; @@ -28,6 +32,12 @@ in { useACMEHost = "${domain}"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; @@ -61,6 +71,12 @@ in { useACMEHost = "${domain}"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/c3dog.de.nix b/config/hosts/public-web-static/virtualHosts/c3dog.de.nix index 16fedd5..dcca75a 100644 --- a/config/hosts/public-web-static/virtualHosts/c3dog.de.nix +++ b/config/hosts/public-web-static/virtualHosts/c3dog.de.nix @@ -16,6 +16,10 @@ in { ]; listen = [ + { + addr = "[::]"; + port = 31820; + } { addr = "0.0.0.0"; port = 31820; @@ -28,6 +32,12 @@ in { useACMEHost = "${domain}"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; @@ -57,6 +67,12 @@ in { useACMEHost = "${domain}"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix index d2e779a..79f6fb4 100644 --- a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix @@ -17,6 +17,10 @@ in serverName = "${domain}"; listen = [ + { + addr = "[::]"; + port = 31820; + } { addr = "0.0.0.0"; port = 31820; @@ -30,6 +34,12 @@ in useACMEHost = "${domain}"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; @@ -81,12 +91,20 @@ in "local.ccc.de" ]; - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; + listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; locations."/".return = "302 https://cpu.ccc.de"; diff --git a/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix b/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix index 37d95b9..59934eb 100644 --- a/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix +++ b/config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix @@ -16,6 +16,10 @@ in serverName = "${domain}"; listen = [ + { + addr = "[::]"; + port = 31820; + } { addr = "0.0.0.0"; port = 31820; @@ -28,6 +32,12 @@ in useACMEHost = "${domain}"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; @@ -55,6 +65,12 @@ in useACMEHost = "${domain}"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/diday.org.nix b/config/hosts/public-web-static/virtualHosts/diday.org.nix index 547c797..42117bf 100644 --- a/config/hosts/public-web-static/virtualHosts/diday.org.nix +++ b/config/hosts/public-web-static/virtualHosts/diday.org.nix @@ -16,6 +16,10 @@ in serverName = "${domain}"; listen = [ + { + addr = "[::]"; + port = 31820; + } { addr = "0.0.0.0"; port = 31820; @@ -28,6 +32,12 @@ in useACMEHost = "${domain}"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; @@ -50,6 +60,12 @@ in useACMEHost = "${domain}"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/docs.c3voc.de.nix b/config/hosts/public-web-static/virtualHosts/docs.c3voc.de.nix index 5c257da..956baf4 100644 --- a/config/hosts/public-web-static/virtualHosts/docs.c3voc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/docs.c3voc.de.nix @@ -11,6 +11,10 @@ in { serverName = "${domain}"; listen = [ + { + addr = "[::]"; + port = 31820; + } { addr = "0.0.0.0"; port = 31820; @@ -23,6 +27,12 @@ in { useACMEHost = "${domain}"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/element-admin.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element-admin.hamburg.ccc.de.nix index 670b191..f30e9a7 100644 --- a/config/hosts/public-web-static/virtualHosts/element-admin.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/element-admin.hamburg.ccc.de.nix @@ -40,6 +40,10 @@ in serverName = "element-admin.hamburg.ccc.de"; listen = [ + { + addr = "[::]"; + port = 31820; + } { addr = "0.0.0.0"; port = 31820; @@ -52,6 +56,12 @@ in useACMEHost = "element-admin.hamburg.ccc.de"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix index 360fb76..b8a014f 100644 --- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix @@ -24,6 +24,10 @@ in serverName = "element.hamburg.ccc.de"; listen = [ + { + addr = "[::]"; + port = 31820; + } { addr = "0.0.0.0"; port = 31820; @@ -36,6 +40,12 @@ in useACMEHost = "element.hamburg.ccc.de"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix index 20bb644..dd6fc90 100644 --- a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix +++ b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix @@ -12,6 +12,10 @@ in serverName = "${domain}"; listen = [ + { + addr = "[::]"; + port = 31820; + } { addr = "0.0.0.0"; port = 31820; @@ -22,12 +26,18 @@ in "${domain}" = { forceSSL = true; useACMEHost = "${domain}"; - + locations."/shop" = { return = "302 https://tickets.hamburg.ccc.de"; }; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix index eeb7778..269aa92 100644 --- a/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix @@ -12,6 +12,10 @@ in serverName = "${domain}"; listen = [ + { + addr = "[::]"; + port = 31820; + } { addr = "0.0.0.0"; port = 31820; @@ -24,6 +28,12 @@ in useACMEHost = "${domain}"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix index 1c967c9..abbf5aa 100644 --- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix @@ -7,6 +7,10 @@ serverName = "hamburg.ccc.de"; listen = [ + { + addr = "[::]"; + port = 31820; + } { addr = "0.0.0.0"; port = 31820; @@ -20,6 +24,12 @@ default = true; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix index 2c5dd86..bb8bd6e 100644 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix +++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix @@ -25,10 +25,16 @@ in "easterhegg2003.hamburg.ccc.de" "www.easterhegg2003.hamburg.ccc.de" ]; - listen = [{ - addr = "0.0.0.0"; - port = 31820; - }]; + listen = [ + { + addr = "[::]"; + port = 31820; + } + { + addr = "0.0.0.0"; + port = 31820; + } + ]; }; "easterhegg2003.hamburg.ccc.de" = { @@ -40,12 +46,20 @@ in "www.easterhegg2003.hamburg.ccc.de" ]; - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; + listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; locations."/".return = "302 https://eh03.easterhegg.eu"; @@ -65,18 +79,26 @@ in forceSSL = true; useACMEHost = "eh03.easterhegg.eu"; - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; + listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; locations."/" = { index = "index.html"; root = eh03; extraConfig = '' - # Set default_type to html + # Set default_type to html default_type text/html; # Enable SSI ssi on; diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix index 37cb893..a6b6f80 100644 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix +++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix @@ -25,10 +25,16 @@ in "easterhegg2005.hamburg.ccc.de" "www.easterhegg2005.hamburg.ccc.de" ]; - listen = [{ - addr = "0.0.0.0"; - port = 31820; - }]; + listen = [ + { + addr = "[::]"; + port = 31820; + } + { + addr = "0.0.0.0"; + port = 31820; + } + ]; }; "easterhegg2005.hamburg.ccc.de" = { @@ -40,12 +46,20 @@ in "www.easterhegg2005.hamburg.ccc.de" ]; - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; + listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; locations."/".return = "302 https://eh05.easterhegg.eu"; @@ -65,18 +79,26 @@ in forceSSL = true; useACMEHost = "eh05.easterhegg.eu"; - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; + listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; locations."/" = { index = "index.shtml"; root = eh05; extraConfig = '' - # Set default_type to html + # Set default_type to html default_type text/html; # Enable SSI ssi on; diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix index ebfa712..80a404b 100644 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix +++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix @@ -29,10 +29,16 @@ in "easterhegg2007.hamburg.ccc.de" "www.easterhegg2007.hamburg.ccc.de" ]; - listen = [{ - addr = "0.0.0.0"; - port = 31820; - }]; + listen = [ + { + addr = "[::]"; + port = 31820; + } + { + addr = "0.0.0.0"; + port = 31820; + } + ]; }; "easterhegg2007.hamburg.ccc.de" = { @@ -46,12 +52,20 @@ in "www.easterhegg2007.hamburg.ccc.de" ]; - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; + listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; locations."/".return = "302 https://eh07.easterhegg.eu"; @@ -71,18 +85,26 @@ in forceSSL = true; useACMEHost = "eh07.easterhegg.eu"; - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; + listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; locations."/" = { index = "index.shtml"; root = eh07; extraConfig = '' - # Set default_type to html + # Set default_type to html default_type text/html; # Enable SSI ssi on; diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix index ea274af..f2720f4 100644 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix +++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix @@ -29,10 +29,16 @@ in "easterhegg2009.hamburg.ccc.de" "www.easterhegg2009.hamburg.ccc.de" ]; - listen = [{ - addr = "0.0.0.0"; - port = 31820; - }]; + listen = [ + { + addr = "[::]"; + port = 31820; + } + { + addr = "0.0.0.0"; + port = 31820; + } + ]; }; "easterhegg2009.hamburg.ccc.de" = { @@ -46,12 +52,20 @@ in "www.easterhegg2009.hamburg.ccc.de" ]; - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; + listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; locations."/".return = "302 https://eh09.easterhegg.eu"; @@ -71,18 +85,26 @@ in forceSSL = true; useACMEHost = "eh09.easterhegg.eu"; - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; + listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; locations."/" = { index = "index.shtml"; root = eh09; extraConfig = '' - # Set default_type to html + # Set default_type to html default_type text/html; # Enable SSI ssi on; diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix index 39d7fad..e44d0f5 100644 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix +++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix @@ -29,10 +29,16 @@ in "easterhegg2011.hamburg.ccc.de" "www.easterhegg2011.hamburg.ccc.de" ]; - listen = [{ - addr = "0.0.0.0"; - port = 31820; - }]; + listen = [ + { + addr = "[::]"; + port = 31820; + } + { + addr = "0.0.0.0"; + port = 31820; + } + ]; }; "easterhegg2011.hamburg.ccc.de" = { @@ -46,12 +52,20 @@ in "www.easterhegg2011.hamburg.ccc.de" ]; - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; + listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; locations."/".return = "302 https://eh11.easterhegg.eu"; @@ -71,18 +85,26 @@ in forceSSL = true; useACMEHost = "eh11.easterhegg.eu"; - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; + listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; locations."/" = { index = "index.shtml"; root = eh11; extraConfig = '' - # Set default_type to html + # Set default_type to html default_type text/html; # Enable SSI ssi on; diff --git a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix index afc93c1..c72a72b 100644 --- a/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix +++ b/config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix @@ -21,10 +21,16 @@ in "www.eh20.easterhegg.eu" "eh20.hamburg.ccc.de" ]; - listen = [{ - addr = "0.0.0.0"; - port = 31820; - }]; + listen = [ + { + addr = "[::]"; + port = 31820; + } + { + addr = "0.0.0.0"; + port = 31820; + } + ]; }; "www.eh20.easterhegg.eu" = { @@ -34,12 +40,20 @@ in "eh20.hamburg.ccc.de" ]; - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; + listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; locations."/".return = "302 https://eh20.easterhegg.eu"; @@ -59,12 +73,20 @@ in forceSSL = true; useACMEHost = "eh20.easterhegg.eu"; - listen = [{ - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - }]; + listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; locations."/" = { index = "start.html"; diff --git a/config/hosts/public-web-static/virtualHosts/spaceapi.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/spaceapi.hamburg.ccc.de.nix index 7852639..105c0e5 100644 --- a/config/hosts/public-web-static/virtualHosts/spaceapi.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/spaceapi.hamburg.ccc.de.nix @@ -7,6 +7,10 @@ serverName = "spaceapi.hamburg.ccc.de"; listen = [ + { + addr = "[::]"; + port = 31820; + } { addr = "0.0.0.0"; port = 31820; @@ -19,6 +23,12 @@ useACMEHost = "spaceapi.hamburg.ccc.de"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix index c91d283..3f9f7a3 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix +++ b/config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix @@ -11,6 +11,10 @@ in { serverName = "${domain}"; listen = [ + { + addr = "[::]"; + port = 31820; + } { addr = "0.0.0.0"; port = 31820; @@ -23,6 +27,12 @@ in { useACMEHost = "${domain}"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/staging.c3dog.de.nix b/config/hosts/public-web-static/virtualHosts/staging.c3dog.de.nix index d69ad2b..697ac69 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.c3dog.de.nix +++ b/config/hosts/public-web-static/virtualHosts/staging.c3dog.de.nix @@ -11,6 +11,10 @@ in { serverName = "${domain}"; listen = [ + { + addr = "[::]"; + port = 31820; + } { addr = "0.0.0.0"; port = 31820; @@ -23,6 +27,12 @@ in { useACMEHost = "${domain}"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix b/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix index 6733dad..21ef153 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix +++ b/config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix @@ -16,6 +16,10 @@ in serverName = "${domain}"; listen = [ + { + addr = "[::]"; + port = 31820; + } { addr = "0.0.0.0"; port = 31820; @@ -28,6 +32,12 @@ in useACMEHost = "${domain}"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; @@ -55,6 +65,12 @@ in useACMEHost = "${domain}"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/staging.diday.org.nix b/config/hosts/public-web-static/virtualHosts/staging.diday.org.nix index b165348..7ff72b8 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.diday.org.nix +++ b/config/hosts/public-web-static/virtualHosts/staging.diday.org.nix @@ -21,6 +21,12 @@ in forceSSL = true; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/staging.docs.c3voc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.docs.c3voc.de.nix index 2170f8c..b70af70 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.docs.c3voc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/staging.docs.c3voc.de.nix @@ -11,6 +11,10 @@ in { serverName = "${domain}"; listen = [ + { + addr = "[::]"; + port = 31820; + } { addr = "0.0.0.0"; port = 31820; @@ -23,6 +27,12 @@ in { useACMEHost = "${domain}"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix index 14ede9b..7e44a84 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix +++ b/config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix @@ -12,6 +12,10 @@ in serverName = "${domain}"; listen = [ + { + addr = "[::]"; + port = 31820; + } { addr = "0.0.0.0"; port = 31820; @@ -24,6 +28,12 @@ in useACMEHost = "${domain}"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix index 79ca38c..0c7cd28 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix @@ -12,6 +12,10 @@ in serverName = "${domain}"; listen = [ + { + addr = "[::]"; + port = 31820; + } { addr = "0.0.0.0"; port = 31820; @@ -24,6 +28,12 @@ in useACMEHost = "${domain}"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix index f7e0752..624b632 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix @@ -7,6 +7,10 @@ serverName = "staging.hamburg.ccc.de"; listen = [ + { + addr = "[::]"; + port = 31820; + } { addr = "0.0.0.0"; port = 31820; @@ -19,6 +23,12 @@ useACMEHost = "staging.hamburg.ccc.de"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; diff --git a/config/hosts/public-web-static/virtualHosts/www.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/www.hamburg.ccc.de.nix index a29fbd2..4f241f1 100644 --- a/config/hosts/public-web-static/virtualHosts/www.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/www.hamburg.ccc.de.nix @@ -7,6 +7,10 @@ serverName = "www.hamburg.ccc.de"; listen = [ + { + addr = "[::]"; + port = 31820; + } { addr = "0.0.0.0"; port = 31820; @@ -19,6 +23,12 @@ useACMEHost = "www.hamburg.ccc.de"; listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } { addr = "0.0.0.0"; port = 8443; diff --git a/deployment_configuration.json b/deployment_configuration.json index 3ae44cc..9a768bf 100644 --- a/deployment_configuration.json +++ b/deployment_configuration.json @@ -6,9 +6,6 @@ "matrix": { "targetHostname": "matrix-intern.hamburg.ccc.de" }, - "public-web-static": { - "targetHostname": "public-web-static-intern.hamburg.ccc.de" - }, "git": { "targetHostname": "git.hamburg.ccc.de" }, From e0b593289d1019dcd91ea0b3fa69d2ff4928cd97 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 29 Apr 2026 03:08:20 +0200 Subject: [PATCH 05/12] forgejo-actions-runner(host): enable IPv6 support in Docker Enable the relevant config option and move to new network with an explicit IPv6, because otherwise there's no default v6 route and v6 in the Docker containers doesn't work. --- config/hosts/forgejo-actions-runner/configuration.nix | 5 ++++- config/hosts/forgejo-actions-runner/docker.nix | 3 +++ config/hosts/forgejo-actions-runner/networking.nix | 8 ++++---- deployment_configuration.json | 3 --- 4 files changed, 11 insertions(+), 8 deletions(-) diff --git a/config/hosts/forgejo-actions-runner/configuration.nix b/config/hosts/forgejo-actions-runner/configuration.nix index d2a52da..713e795 100644 --- a/config/hosts/forgejo-actions-runner/configuration.nix +++ b/config/hosts/forgejo-actions-runner/configuration.nix @@ -1,7 +1,10 @@ { config, pkgs, ... }: { - networking.hostName = "forgejo-actions-runner"; + networking = { + hostName = "forgejo-actions-runner"; + domain = "hosts.hamburg.ccc.de"; + }; system.stateVersion = "23.11"; } diff --git a/config/hosts/forgejo-actions-runner/docker.nix b/config/hosts/forgejo-actions-runner/docker.nix index b626e9f..043f272 100644 --- a/config/hosts/forgejo-actions-runner/docker.nix +++ b/config/hosts/forgejo-actions-runner/docker.nix @@ -9,5 +9,8 @@ enable = true; dates = "weekly"; }; + daemon.settings = { + ipv6 = true; + }; }; } diff --git a/config/hosts/forgejo-actions-runner/networking.nix b/config/hosts/forgejo-actions-runner/networking.nix index 71aa47a..0c09eda 100644 --- a/config/hosts/forgejo-actions-runner/networking.nix +++ b/config/hosts/forgejo-actions-runner/networking.nix @@ -5,14 +5,14 @@ let in { networking = { interfaces.net0 = { - ipv4.addresses = [ + ipv6.addresses = [ { - address = "172.31.17.155"; - prefixLength = 25; + address = "2a00:14b0:42:102::18"; + prefixLength = 64; } ]; }; - defaultGateway = "172.31.17.129"; + defaultGateway6 = "2a00:14b0:42:102::1"; nameservers = [ "212.12.50.158" "192.76.134.90" ]; search = [ "hamburg.ccc.de" ]; }; diff --git a/deployment_configuration.json b/deployment_configuration.json index 9a768bf..eddd7b0 100644 --- a/deployment_configuration.json +++ b/deployment_configuration.json @@ -9,9 +9,6 @@ "git": { "targetHostname": "git.hamburg.ccc.de" }, - "forgejo-actions-runner": { - "targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de" - }, "woodpecker": { "targetHostname": "woodpecker-intern.hamburg.ccc.de" }, From b74304319a2c246d71b6aed91d86e35f057522af Mon Sep 17 00:00:00 2001 From: June Date: Wed, 29 Apr 2026 03:34:04 +0200 Subject: [PATCH 06/12] forgejo-actions-runner(host): also enable IPv6 support in runner config --- .../hosts/forgejo-actions-runner/forgejo-actions-runner.nix | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix index d5a93c1..2efeefe 100644 --- a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix +++ b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix @@ -15,6 +15,9 @@ tokenFile = "/run/secrets/forgejo_actions_runner_registration_token"; labels = [ "docker:docker://node:current-bookworm" ]; settings = { + container = { + enable_ipv6 = true; + }; cache = { proxy_port = 45540; }; @@ -35,6 +38,9 @@ "alpine-latest:docker://node:current-alpine" ]; settings = { + container = { + enable_ipv6 = true; + }; cache = { proxy_port = 45541; }; From e3b638b10fc790adbed3247b67703a35050bffd2 Mon Sep 17 00:00:00 2001 From: lilly Date: Thu, 30 Apr 2026 01:12:23 +0200 Subject: [PATCH 07/12] remove basic-auth from diday.org --- config/hosts/public-web-static/virtualHosts/diday.org.nix | 8 -------- .../public-web-static/virtualHosts/staging.diday.org.nix | 4 ---- 2 files changed, 12 deletions(-) diff --git a/config/hosts/public-web-static/virtualHosts/diday.org.nix b/config/hosts/public-web-static/virtualHosts/diday.org.nix index 42117bf..d9f3b31 100644 --- a/config/hosts/public-web-static/virtualHosts/diday.org.nix +++ b/config/hosts/public-web-static/virtualHosts/diday.org.nix @@ -46,10 +46,6 @@ in } ]; - basicAuth = { - "preview" = "liebe"; - }; - extraConfig = '' return 301 https://diday.org; ''; @@ -74,10 +70,6 @@ in } ]; - basicAuth = { - "preview" = "liebe"; - }; - root = "${dataDir}"; extraConfig = '' diff --git a/config/hosts/public-web-static/virtualHosts/staging.diday.org.nix b/config/hosts/public-web-static/virtualHosts/staging.diday.org.nix index 7ff72b8..c6afb80 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.diday.org.nix +++ b/config/hosts/public-web-static/virtualHosts/staging.diday.org.nix @@ -35,10 +35,6 @@ in } ]; - basicAuth = { - "preview" = "liebe"; - }; - extraConfig = '' # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy From 1abba8aece739678ba0e4fec382bd1345a5fe4e5 Mon Sep 17 00:00:00 2001 From: June Date: Thu, 14 May 2026 00:06:32 +0200 Subject: [PATCH 08/12] public-web-static(host): update element-web and element-admin element-web: 1.12.0 -> 1.12.18 element-admin: 0.1.10 -> 0.1.11 --- .../virtualHosts/element-admin.hamburg.ccc.de.nix | 6 +++--- .../virtualHosts/element.hamburg.ccc.de.nix | 4 ++-- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/config/hosts/public-web-static/virtualHosts/element-admin.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element-admin.hamburg.ccc.de.nix index f30e9a7..8ee4336 100644 --- a/config/hosts/public-web-static/virtualHosts/element-admin.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/element-admin.hamburg.ccc.de.nix @@ -1,14 +1,14 @@ { config, pkgs, ... }: let - elementAdminVersion = "0.1.10"; + elementAdminVersion = "0.1.11"; elementAdmin = pkgs.stdenv.mkDerivation (finalAttrs: { pname = "element-admin"; version = elementAdminVersion; src = pkgs.fetchzip { url = "https://github.com/element-hq/element-admin/archive/refs/tags/v${elementAdminVersion}.zip"; - sha256 = "sha256-dh7tmzAaTfKB9FuOVhLHpOIsTZK1qMvNq16HeObHOqI="; + sha256 = "sha256-tSUTDPspQJjvP1KN4nUr4LYyjNQFj4pKMMA8JmavIxo="; }; nativeBuildInputs = [ @@ -19,7 +19,7 @@ let pnpmDeps = pkgs.pnpm.fetchDeps { inherit (finalAttrs) pname version src; fetcherVersion = 2; - hash = "sha256-S/MdfUv6q+PaAKWYHxVY80BcpL81dOfpPVhNxEPQVE4="; + hash = "sha256-Hf4PWey5bczSNbc3QQ9z9X3OVUZ7VHXw7BHGQqJWPac="; }; buildPhase = '' diff --git a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix index b8a014f..f781dc0 100644 --- a/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix @@ -1,10 +1,10 @@ { pkgs, ... }: let - elementWebVersion = "1.12.0"; + elementWebVersion = "1.12.18"; element-web = pkgs.fetchzip { url = "https://github.com/element-hq/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz"; - sha256 = "sha256-2kXQFUhLYyEKuXYw+n94JGlTN2VJHRpjmu78u8gdaro="; + sha256 = "sha256-RvPJg28hgOgFs0GFZ9EPypQkUPkAns0alXYJeNst4Bk="; }; elementSecurityHeaders = '' # Configuration best practices From cd7a0054a7e62c387fa16ecff3ff31dba0f48025 Mon Sep 17 00:00:00 2001 From: June Date: Thu, 14 May 2026 00:08:13 +0200 Subject: [PATCH 09/12] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:nixos/nixpkgs/a4bf06618f0b5ee50f14ed8f0da77d34ecc19160' (2026-04-25) → 'github:nixos/nixpkgs/8fd9daa3db09ced9700431c5b7ad0e8ba199b575' (2026-05-10) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/01fbdeef22b76df85ea168fbfe1bfd9e63681b30' (2026-04-23) → 'github:nixos/nixpkgs/eef00dfd8a712b34af845f9350bac681b1228bd1' (2026-05-13) • Updated input 'sops-nix': 'github:Mic92/sops-nix/bef289e2248991f7afeb95965c82fbcd8ff72598' (2026-04-21) → 'github:Mic92/sops-nix/c591bf665727040c6cc5cb409079acb22dcce33c' (2026-05-05) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index ed279ac..b2142ed 100644 --- a/flake.lock +++ b/flake.lock @@ -19,11 +19,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1777077449, - "narHash": "sha256-AIiMJiqvGrN4HyLEbKAoCSRRYn0rnlW5VbKNIMIYqm4=", + "lastModified": 1778430510, + "narHash": "sha256-Ti+ZBvW6yrWWAg2szExVTwCd4qOJ3KlVr1tFHfyfi8Q=", "owner": "nixos", "repo": "nixpkgs", - "rev": "a4bf06618f0b5ee50f14ed8f0da77d34ecc19160", + "rev": "8fd9daa3db09ced9700431c5b7ad0e8ba199b575", "type": "github" }, "original": { @@ -35,11 +35,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1776949667, - "narHash": "sha256-GMSVw35Q+294GlrTUKlx087E31z7KurReQ1YHSKp5iw=", + "lastModified": 1778672786, + "narHash": "sha256-Blg88K1jwG+P0Mr27+rKMFCufdrWkV3wWh9AdYtz0FQ=", "owner": "nixos", "repo": "nixpkgs", - "rev": "01fbdeef22b76df85ea168fbfe1bfd9e63681b30", + "rev": "eef00dfd8a712b34af845f9350bac681b1228bd1", "type": "github" }, "original": { @@ -64,11 +64,11 @@ ] }, "locked": { - "lastModified": 1776771786, - "narHash": "sha256-DRFGPfFV6hbrfO9a1PH1FkCi7qR5FgjSqsQGGvk1rdI=", + "lastModified": 1777944972, + "narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=", "owner": "Mic92", "repo": "sops-nix", - "rev": "bef289e2248991f7afeb95965c82fbcd8ff72598", + "rev": "c591bf665727040c6cc5cb409079acb22dcce33c", "type": "github" }, "original": { From c458aa2f17b0e760c588d8af812b13baf35961d5 Mon Sep 17 00:00:00 2001 From: chris Date: Fri, 15 May 2026 17:58:16 +0200 Subject: [PATCH 10/12] Remove woodpecker host Long live forgejo actions --- config/hosts/woodpecker/configuration.nix | 7 - config/hosts/woodpecker/default.nix | 11 -- config/hosts/woodpecker/networking.nix | 22 --- config/hosts/woodpecker/secrets.yaml | 149 ------------------ config/hosts/woodpecker/sops.nix | 7 - .../woodpecker/woodpecker-agent/default.nix | 8 - .../woodpecker/woodpecker-agent/docker.nix | 12 -- .../woodpecker-agent/woodpecker-agent.nix | 29 ---- .../woodpecker/woodpecker-server/default.nix | 9 -- .../woodpecker/woodpecker-server/nginx.nix | 57 ------- .../woodpecker-server/postgresql.nix | 18 --- .../woodpecker-server/woodpecker-server.nix | 44 ------ flake.nix | 11 -- 13 files changed, 384 deletions(-) delete mode 100644 config/hosts/woodpecker/configuration.nix delete mode 100644 config/hosts/woodpecker/default.nix delete mode 100644 config/hosts/woodpecker/networking.nix delete mode 100644 config/hosts/woodpecker/secrets.yaml delete mode 100644 config/hosts/woodpecker/sops.nix delete mode 100644 config/hosts/woodpecker/woodpecker-agent/default.nix delete mode 100644 config/hosts/woodpecker/woodpecker-agent/docker.nix delete mode 100644 config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix delete mode 100644 config/hosts/woodpecker/woodpecker-server/default.nix delete mode 100644 config/hosts/woodpecker/woodpecker-server/nginx.nix delete mode 100644 config/hosts/woodpecker/woodpecker-server/postgresql.nix delete mode 100644 config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix diff --git a/config/hosts/woodpecker/configuration.nix b/config/hosts/woodpecker/configuration.nix deleted file mode 100644 index 45e228e..0000000 --- a/config/hosts/woodpecker/configuration.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ config, pkgs, ... }: - -{ - networking.hostName = "woodpecker"; - - system.stateVersion = "24.05"; -} diff --git a/config/hosts/woodpecker/default.nix b/config/hosts/woodpecker/default.nix deleted file mode 100644 index 1db0c8c..0000000 --- a/config/hosts/woodpecker/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ./woodpecker-agent - ./woodpecker-server - ./configuration.nix - ./networking.nix - ./sops.nix - ]; -} diff --git a/config/hosts/woodpecker/networking.nix b/config/hosts/woodpecker/networking.nix deleted file mode 100644 index 3301812..0000000 --- a/config/hosts/woodpecker/networking.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "172.31.17.160"; - prefixLength = 25; - } - ]; - }; - defaultGateway = "172.31.17.129"; - nameservers = [ "212.12.50.158" "192.76.134.90" ]; - search = [ "hamburg.ccc.de" ]; - }; - - systemd.network.links."10-net0" = { - matchConfig.MACAddress = "BC:24:11:5F:A9:B7"; - linkConfig.Name = "net0"; - }; -} diff --git a/config/hosts/woodpecker/secrets.yaml b/config/hosts/woodpecker/secrets.yaml deleted file mode 100644 index 5fae897..0000000 --- a/config/hosts/woodpecker/secrets.yaml +++ /dev/null @@ -1,149 +0,0 @@ -woodpecker_server_environment_file: ENC[AES256_GCM,data:68Wu0UOHBAGZHSJ0x4wbeDLm626jpumv9w6A65FNKsmzYp6P4/c4g1MF1agQd7l9nKMTRrgyJyfoEZYFQRX6lYSmcsQLfn++uh1JpFoClT5p/5hBkiDq4owUFU+NGUiyl6yjYlEiaxLwC4ZdyISHeEYpbrvGyIXLsFgdrQ0rVX3cCRwIMxFcyCG6d3MZVoqAw1A=,iv:y/+X02aRPBOoR57P9s7y/SijvXVLuiBBfFYqeJLvQEU=,tag:DNwK+M6s3moglkMkrWccyA==,type:str] -woodpecker_agent_environment_file: ENC[AES256_GCM,data:rwp6TYYFJ/IZH+3pGhPxjdZMLoyPMr/W1RXm4IkUGn+SmIjHZcdFZ8nEhvOfnkfrXNPc2MR+X6NXUmVOcBjSCbcBjh9sC653UpKimt9I3/Ec,iv:X9JH7dmTayw8BaEsXYil3PrykCdd+/ANGHVfEyRvc7A=,tag:/ErkX1WnruanNgTTBUT6LA==,type:str] -sops: - age: - - recipient: age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWdUhjQUJIS2QvWk1Yc3pR - M1daYlRubnlsQk9tcytBNWdYMUU4bG1DVHhZCnVKK00ySDdBZFhzRXlaQ2xVaTBh - bVVVNzRraUpHSFFuRStzWFprUGRoMGcKLS0tIEVBUWh4STBIaGdTelFKcnB0TkNR - SEd1VTZQZWlkYXVKcVRPbVA1U3VWbFUKnuaPGc29kKE86nh+xEto0Jb6BQ0uH3pr - Q1QPgfiOCYGkuUewy3LlGnLTuMxHBBWAjg4zgaYPHU2F/HCS5DB5nw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArdVJNK1ljNWwrTy9qc1p1 - N1MweERxdkNXZVZITWRRdGFQRHRQeTNFTTI4CjFkSVJQMFBKY2tRWE1DeXdMOUZY - Qm5oYTU1azFzVEpYZUptcTVhRCsxL28KLS0tIEI0czljekgvQlc1SlVGSUpGb1N3 - NytOaE5nQ3E4bFhCQ1ZDU3MyM3p5cmcK3LGva0vDjitqOBqBo6jHqRBaH8T8cOim - IF8ygc0i/dbaec59ZcCMhS0n8yv0lVHO2WiUwPaKTh5hkti9LhKlaA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-06-22T15:55:25Z" - mac: ENC[AES256_GCM,data:UmDbmxSRj8YfCkKEelQNMJ8mzbu5aQdB9yOr9JfUh5TB9r5Z5ttZ1wgJDJqHNtsII3JGXUvbgHbsmbPikkrj4Ege1rrgr4UttN1rtgeaAKlZIlqb9pOnV4//GJL8jbxCgFp2h2O80G05nAXG54DaY//4Y5hfTyPzgyDlGQ6jlhg=,iv:5e8lpFfGAJh8lTFcY4MlZG7PgnzM0UycsU0tB2KN+zQ=,tag:4xUEHg04wjDbhc9MOItzuQ==,type:str] - pgp: - - created_at: "2026-02-17T22:22:03Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAz5uSgHG2iMJAQ/+NzRul1VZa2BLnjCsdUP7YErHvLsJqc/KwEFgGX8yN1Bg - VOHgm0MBYC14KtMu0Zb+Cm6ypqyaa4j+MXNVWLDTOLt1aLibashBmyPbwHNr0XwO - 6tr9qYAPixaoWFeiCtATKLUzWzQ68eDv9JHNNQvKGNjet9E1yOIxWHj6RxyV/EeZ - 50nf+7AO7cFkqRGFxrGKAYchzetajNPLtbS2htFCc3Vt9m38jusafvYdjeG+HQHe - 6INzdNqvM7vhfWJlIiTPCXGKvx0NhLg6sVvcXpq5mKbMAhja80KyUdl772L8Kr6P - ZYvmj+Ey8+GM+opGGxcaSBmgw3ZLRIZ1tks3LlRf/UiAZD5MqJoRL1DEJMtHzYnp - IqxOEiuMLAL1/TxG4KhJfT5Gs9Kf3Cnr6djhhsYg3GYXSQdhiyaBDaLpu68nEIRN - JSdA/7pCjxhvlgFl9XvPaMzQD5GZNlVapJPn1c9Ambi9cs4kB8nds+Xx4KgIN3li - 85flJnEtQWRI2DL8qJgoYJ1cXevkPVzKLFnQEHfLuozIzfPl1Wq1Sb3EQk9YZer9 - yfVHRngBBhmfNMtFy9gq8FLod0Odas3KQDAa7ndPMMx6oL5DoNeI3DpuYW4eQIZK - EbT5iHLMrTXHb2XKTHfXdjl6ttED+12GAby69jdGXjt6UVAM6b0UorWfSLLoqabS - XgG1w128eegSl4tqdYO/KDL30c9J1K8LqaJmg+9eFAi9Da/zmPAck+DlS7XUkeiX - OqZiOXLul0N2Qe/tWkpJD8F3HV+K6Xt0MSx8VsmeliicG4Rpme1Xysau+7kht3U= - =KUjN - -----END PGP MESSAGE----- - fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5 - - created_at: "2026-02-17T22:22:03Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAw5vwmoEJHQ1ARAAxH+TtzvFlUZfD3U7BNRr9SyWVxnkR3U2zvvDG5A3I28K - fI1U1am6Z+gSvYdId38hiMPxDmDIMl2wCYCXd17q+PSycsJ1Bbzy1zaht6KcpSJb - s9jmNmf+5mazSRZ/COBy4mMq+2mam4/vu+xS85IsgxyxK9ygnCurmzMqn3lxatm0 - ICxvoLMAamA+tAfxtw+a5lEMok7pHdKndZmrKvxO7nLXM0292sJ3VHp5Uy9k487W - PznpjM1st/f/0gTu1mgb8rnUkSszw1odBeQ+xw2JvcDHE6Ow7PpCk83oTWXil6c4 - bEsrtvaFLWXN9/gssnayoMWHb/TCHKVe4AGrMevFkRdEFDRV5FRZGqzuGDP++X10 - KYyMN0/Wo/XU7Rn3+7HmKvz0qeaAI/IRTrhdXUDtQQ13/waxGrJEquwS5Xuwea6l - LlA6hwnAERSVrVkMQ60ITOD6n7lvAPA7jD/HhI3P2Xy4mDFW9ZnfnWi0xI9pRCsk - w+ZnQ1Ckacv0gJUirvsVSdUYHwvEvpFEVSsZsv5QbNsaWi5jn5XDH0eqlXQE80aO - o3vPFTNCHNixspiaIO4V8etyv6nSh7BxwDvIH4nZVxr8HmxILs0Occw9anvA81md - roF3pyb+ZFRIwcBh72VSdAm1D/n4h14lnmMj+19HEA3zvbPnZQejtGFMY1Oe2VTS - XgHMI0aRJANXczMA7LSg9vxDYvWXE2KR526oBsC1E7otCNGkxj3hhmng25K3tmIU - E2AAaAIk/RukMnydb93XGciPquCZsWlmpwlTGXCqoqiNBilvIE1lXH6rhym78ko= - =nRW4 - -----END PGP MESSAGE----- - fp: 87AB00D45D37C9E9167B5A5A333448678B60E505 - - created_at: "2026-02-17T22:22:03Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DerEtaFuTeewSAQdAPWizx2khKtlshnLwE5PRszAdTvTlsEEiWVV5xJx3PnAw - 9Gj2lZZX4F0AXoKInElg2N02FXpIo24ZZUPXGqpswfSv93NFNNK+FWwqUCRZhuCM - 0l4Blkyy4PthGwIAtXqZ8GGxjoDGBLIAE/zrY9tdNB5XAnkiy7J82kora0dphpkq - Llb1Jgh0+ZK8RQzaf5wcgWf867MhJLhv0N+qLsFVutGpqFy1W/1vaLQ5au5Ty2Tw - =460I - -----END PGP MESSAGE----- - fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912 - - created_at: "2026-02-17T22:22:03Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMAxjNhCKPP69fAQ//Rzcsq0Yay/3g/MzqHI1izkSWsdycz3LE6qM4qhX4f7wZ - 4Ymzu2jbSq43IavCjGPOLIKVJ4nlnPd7rcprYNV5DOcGAkXG5x7PbnVta3SPI300 - CXnSGQB1KHUCCYZN1BkL9ZSQyTx0ex19mnsSEtZh8NB97cCZx9zMowdHKd5ySu/O - +CMFkQ6Uoh2FxBtqM1y1YbDiuDJnAlAQSKlDIVdCdMssutWRs9Nf6eiLtcmb4U5l - sNyKQnPrr3vjkaTbVdBKQjjMSa8Z/1Tf95GxNhzrUGm2APLKVYdHkMVlQwcr/ZfH - jGiZqxgBmrtNe3EypdKCDnlPvlxs8mnO5whxzDZW2NFV3piMmOmvLI/Po1ASi/t1 - PW9h05Foh2764Jfp74BkRTvhBfi465wKkON0VOckwWBkl/n7w7POfHCXdK1/AnGj - 9ywj6P4zg50vKiTMkZStq6YKXAEkVcN6YzhVVDFwDwAE1VKFCMKlmwuYT1FuKXBp - 7maF578qVyb0lXP9jaX10Y9dhC4vU2rJB3vtRhxjqeMEe/WOyhEyalrC9phPfBKS - wVKzdd3vvaNGfQSAwseFAn1upvELFwccPw1aRIqqLhzWTY2m48yyW2aEN6+7SqkR - dOBJpZDE4NxOhbQl0rllZdeLUznIgeOKM2iNg/3kM7cWcsLZRm3+l1ZuiCEy5XPS - XgHbwfJlyZYoQyKCntbdA/5VRS/5s0oPJIjuofoBZb35fIqtYPIpUeNccpklXYsO - atiSRwJeiluCFUag0uV3nq0zltOlqdS6piEVqU6xiGLAZe04jkaMBxL6VQQHYU0= - =811X - -----END PGP MESSAGE----- - fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55 - - created_at: "2026-02-17T22:22:03Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA1Hthzn+T1OoAQ/9EvULxQSjfO/V600iqRhsQsuuHWY5IfVN+XBCmzmeUX2a - 8qFN8L5gk3pYEoIu4khSCSeIpVyOdX1XeWMMNB15C/pAvgi7emH0y8UxAvCLfW5L - CzP3qLQsbpKUGntPlHaye/G16M/+m4QPc6Y7qwEtUThOei9haPhIU06Tb61IpfLk - AKticUro4ap3Xt/fjDH0NHZsGG33V6LprTt+8LaEcpcwZK/yOWdG4wTV4j6X8LbA - ueCmKunAr1skJrd+hVuwP2e8UkasYgo33pcupsS5jcyXJT9Kf3p/nqOJ3QGlwOtP - lf0DUifdd/QrEXWcMBu+zc9HgtUzpyU3KAoVrxo4JQLaoRlq3kwk3mOOFA0Fzd16 - neuJL2wp/RPuL47StHwA9HxQP+3znXkNxmt9yXGzeyeOBpK4O9qoQ9y7Rbd/FR2u - wEl5uAjhhH2xmAUnIKp5Y1UAFSLqZEaiJjjCHMHycaTpCucjEcChpaBGDAXYS1h+ - x/r6R46UgIzMvjpd2vy+C1aQg0p1Z6P65ifOkdAYIghpSkp+F6SUHHkL3w/kRRjE - dBF8YWFm/yl9P9qenakC5NsAA+bR4ZpNWpv32sYuVjIuoV20GdS7UIVQnvos8bBK - NfqoFmz4n8Eo1jLRcCJ376ow7bSEhRIJlJxdq7bFjZ/3Wtk9vt9dG6XV7wLdJwXS - XgGRxjv94TYLFowYA8/uu9fWxvf2i2lLqctjrvbZkW0Rdn2Ym5GXjg6St3Diug6r - y87PJPSN7CYE4jzCDPaSnGcBvwDHrQsLHLAmenfrAi2Jnweg/THpm9UAftoC7AY= - =Fxot - -----END PGP MESSAGE----- - fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD - - created_at: "2026-02-17T22:22:03Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hQIMA46L6MuPqfJqARAAnZq75P7GPcuBCBLUOVPK8w1IBxd4XzoEWW3+T80bFTZE - ZjPAvfiGcOqIfc8CPzpS1drviWiRkuEV4EKCuDmX9GReI0SUlvaoiddUA9V62f4b - akBrzqR0nNnWWvjph4/5PRAQO+xO4wQy2r9thCw4oej3QgvKtLRRRY35TkGqlS0t - ej4d80KaqGGsfIPQ5L9f+lqarrKvYx3DMK6CujN13Kot44Uom4L5TeIdPSAW14jS - 13fa/I1Irq56ME9kNctsuAkRkhrW+KchFJqkYXSS82SbXUDDNcVA7knXSzxVR+iU - NJXb8bQO4Ymi8sWPWKHW/GXUkReiTLl8MkLi+mCwL7qo5fMQcBg/KWo0hReQYCj3 - G9DZPs3xWYFcwcmrSV86LSqjMt5g8ZKjPm6ODQcZVA/ZsGlmdTkjsWNn6WRZI55m - 8kkg7BoRMq7p6b15tW4e/w2rr/bTmGQ9dV03KIpmBG6+OUzwgfB2/w2dGmB7Vor6 - JMzvt+1I/PSHsCC/7GurTurAP63x8NO/9HYX2Qg0qzsOusnTKrCoo4lX/tA5YfIt - OKr6zqy8s5Dv/lGUhofkJrhHr/QTRHFVrFtPNn4yfSzo+8uhomHGsmxBGOOiY83L - 3zwYm+9BlzO/ve7PIvs54hIHQaKsP9Ktsgq/+dM7PVlIb5qfwGNvgoS2QXFqCF/S - XgHWy41J0zTGoyEpooGkheVKvgEPvv6YIlm9oTucYP03AkKWxBr9MTNq/+JcLRvw - Zey10uVJnYPUuH2b9f8N8lNBZlkQCBq/AEu0MsygsK8bcVfQL1Qs58xh1uA7gL8= - =wduB - -----END PGP MESSAGE----- - fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A - - created_at: "2026-02-17T22:22:03Z" - enc: |- - -----BEGIN PGP MESSAGE----- - - hF4DQrf1tCqiJxoSAQdA4Y8j9A4ECAds0oJlP50Td1HpYIhywjXKi+pT7CTPXQ8w - 95+hUucTE8WQO/9u4HV2Y2nuyQPwmaYK0iGbNV3YxgI3Zdtf1T680hQxT4y55E1/ - 0l4B+70h9ojiHZkpVKVmFFZdY+tS/jQIFIRxqTW1AAfDf+chO3sUxbRe2qZhOXoY - b/QKU11wFpmOZmzznurOoxkqdNgGNcFm9+Ntb4ZSLSYzx7wrjzmWsaTdFd+coO1j - =V+rP - -----END PGP MESSAGE----- - fp: B71138A6A8964A3C3B8899857B4F70C356765BAB - unencrypted_suffix: _unencrypted - version: 3.8.1 diff --git a/config/hosts/woodpecker/sops.nix b/config/hosts/woodpecker/sops.nix deleted file mode 100644 index b4548ed..0000000 --- a/config/hosts/woodpecker/sops.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: - -{ - sops = { - defaultSopsFile = ./secrets.yaml; - }; -} diff --git a/config/hosts/woodpecker/woodpecker-agent/default.nix b/config/hosts/woodpecker/woodpecker-agent/default.nix deleted file mode 100644 index 279d2bb..0000000 --- a/config/hosts/woodpecker/woodpecker-agent/default.nix +++ /dev/null @@ -1,8 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ./docker.nix - ./woodpecker-agent.nix - ]; -} diff --git a/config/hosts/woodpecker/woodpecker-agent/docker.nix b/config/hosts/woodpecker/woodpecker-agent/docker.nix deleted file mode 100644 index af13f4c..0000000 --- a/config/hosts/woodpecker/woodpecker-agent/docker.nix +++ /dev/null @@ -1,12 +0,0 @@ -# Sources for this configuration: -# - https://woodpecker-ci.org/docs/administration/deployment/nixos -# - https://woodpecker-ci.org/docs/administration/backends/docker -# - https://nixos.wiki/wiki/Docker - -{ config, pkgs, ... }: - -{ - virtualisation.docker = { - enable = true; - }; -} diff --git a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix b/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix deleted file mode 100644 index 8c6847b..0000000 --- a/config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix +++ /dev/null @@ -1,29 +0,0 @@ -# Sources for this configuration: -# - https://woodpecker-ci.org/docs/administration/deployment/nixos -# - https://woodpecker-ci.org/docs/administration/agent-config -# - https://woodpecker-ci.org/docs/administration/backends/docker - -{ config, pkgs, ... }: - -{ - services.woodpecker-agents.agents."docker" = { - enable = true; - package = pkgs.woodpecker-agent; - extraGroups = [ "docker" ]; - environment = { - WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}"; - WOODPECKER_MAX_WORKFLOWS = "4"; - WOODPECKER_BACKEND = "docker"; - # Set via enviornmentFile: - # WOODPECKER_AGENT_SECRET - }; - environmentFile = [ "/run/secrets/woodpecker_agent_environment_file" ]; - }; - - sops.secrets."woodpecker_agent_environment_file" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "woodpecker-agent-docker.service" ]; - }; -} diff --git a/config/hosts/woodpecker/woodpecker-server/default.nix b/config/hosts/woodpecker/woodpecker-server/default.nix deleted file mode 100644 index a713746..0000000 --- a/config/hosts/woodpecker/woodpecker-server/default.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ config, pkgs, ... }: - -{ - imports = [ - ./nginx.nix - ./postgresql.nix - ./woodpecker-server.nix - ]; -} diff --git a/config/hosts/woodpecker/woodpecker-server/nginx.nix b/config/hosts/woodpecker/woodpecker-server/nginx.nix deleted file mode 100644 index 962183c..0000000 --- a/config/hosts/woodpecker/woodpecker-server/nginx.nix +++ /dev/null @@ -1,57 +0,0 @@ -# Sources for this configuration: -# - https://woodpecker-ci.org/docs/administration/deployment/nixos -# - https://woodpecker-ci.org/docs/administration/proxy - -{ config, pkgs, ... }: - -{ - services.nginx = { - enable = true; - - virtualHosts."acme-woodpecker.hamburg.ccc.de" = { - default = true; - enableACME = true; - serverName = "woodpecker.hamburg.ccc.de"; - - listen = [ - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - virtualHosts."woodpecker.hamburg.ccc.de" = { - default = true; - forceSSL = true; - useACMEHost = "woodpecker.hamburg.ccc.de"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - locations."/" = { - proxyPass = "http://localhost${config.services.woodpecker-server.environment.WOODPECKER_SERVER_ADDR}"; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - }; - - networking.firewall.allowedTCPPorts = [ 8443 31820 ]; - networking.firewall.allowedUDPPorts = [ 8443 ]; -} diff --git a/config/hosts/woodpecker/woodpecker-server/postgresql.nix b/config/hosts/woodpecker/woodpecker-server/postgresql.nix deleted file mode 100644 index e715650..0000000 --- a/config/hosts/woodpecker/woodpecker-server/postgresql.nix +++ /dev/null @@ -1,18 +0,0 @@ -# Sources for this configuration: -# - https://github.com/NixOS/nixpkgs/blob/dce84c46d780b20c064d5dfb10d0686e0584a198/nixos/modules/services/web-apps/nextcloud.nix#L1069 - -{ config, pkgs, ... }: - -{ - services.postgresql = { - enable = true; - package = pkgs.postgresql_15; - ensureDatabases = [ "woodpecker-server" ]; - ensureUsers = [ - { - name = "woodpecker-server"; - ensureDBOwnership = true; - } - ]; - }; -} diff --git a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix b/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix deleted file mode 100644 index 1836b73..0000000 --- a/config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix +++ /dev/null @@ -1,44 +0,0 @@ -# Sources for this configuration: -# - https://woodpecker-ci.org/docs/administration/deployment/nixos -# - https://woodpecker-ci.org/docs/administration/server-config -# - https://woodpecker-ci.org/docs/administration/database -# - https://woodpecker-ci.org/docs/administration/forges/forgejo -# - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING - -{ config, pkgs, ... }: - -{ - services.woodpecker-server = { - enable = true; - package = pkgs.woodpecker-server; - environment = { - WOODPECKER_HOST = "https://woodpecker.hamburg.ccc.de"; - WOODPECKER_SERVER_ADDR = ":8001"; - WOODPECKER_GRPC_ADDR = ":9000"; - WOODPECKER_ADMIN = "june"; - WOODPECKER_OPEN = "true"; - WOODPECKER_ORGS = "CCCHH"; - WOODPECKER_DATABASE_DRIVER = "postgres"; - WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql"; - WOODPECKER_FORGEJO = "true"; - WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de"; - WOODPECKER_LIMIT_MEM = "6442450944"; # 6GB - # Set via enviornmentFile: - # WOODPECKER_FORGEJO_CLIENT - # WOODPECKER_FORGEJO_SECRET - }; - environmentFile = [ "/run/secrets/woodpecker_server_environment_file" ]; - }; - - systemd.services.woodpecker-server.serviceConfig = { - User = "woodpecker-server"; - Group = "woodpecker-server"; - }; - - sops.secrets."woodpecker_server_environment_file" = { - mode = "0440"; - owner = "root"; - group = "root"; - restartUnits = [ "woodpecker-server.service" ]; - }; -} diff --git a/flake.nix b/flake.nix index 3b28ef2..f16409b 100644 --- a/flake.nix +++ b/flake.nix @@ -159,17 +159,6 @@ ]; }; - woodpecker = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - sops-nix.nixosModules.sops - self.nixosModules.prometheus-exporter - ./config/hosts/woodpecker - ]; - }; - penpot = nixpkgs.lib.nixosSystem { inherit system specialArgs; modules = [ From 9258f15343f2a5f27e763e7d24fc902d456c58eb Mon Sep 17 00:00:00 2001 From: June Date: Mon, 18 May 2026 22:04:57 +0200 Subject: [PATCH 11/12] deploy infra-docs and infra-docs staging on public-web-static --- .../virtualHosts/default.nix | 2 + .../infra-docs.hamburg.ccc.de.nix | 73 +++++++++++++++++++ .../staging.infra-docs.hamburg.ccc.de.nix | 72 ++++++++++++++++++ 3 files changed, 147 insertions(+) create mode 100644 config/hosts/public-web-static/virtualHosts/infra-docs.hamburg.ccc.de.nix create mode 100644 config/hosts/public-web-static/virtualHosts/staging.infra-docs.hamburg.ccc.de.nix diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix index 404ca35..d1c1355 100644 --- a/config/hosts/public-web-static/virtualHosts/default.nix +++ b/config/hosts/public-web-static/virtualHosts/default.nix @@ -13,6 +13,7 @@ ./hacker.tours.nix ./hackertours.hamburg.ccc.de.nix ./hamburg.ccc.de.nix + ./infra-docs.hamburg.ccc.de.nix ./spaceapi.hamburg.ccc.de.nix ./staging.c3cat.de.nix ./staging.c3dog.de.nix @@ -21,6 +22,7 @@ ./staging.hacker.tours.nix ./staging.hackertours.hamburg.ccc.de.nix ./staging.hamburg.ccc.de.nix + ./staging.infra-docs.hamburg.ccc.de.nix ./www.hamburg.ccc.de.nix ./diday.org.nix ./staging.diday.org.nix diff --git a/config/hosts/public-web-static/virtualHosts/infra-docs.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/infra-docs.hamburg.ccc.de.nix new file mode 100644 index 0000000..5bb565d --- /dev/null +++ b/config/hosts/public-web-static/virtualHosts/infra-docs.hamburg.ccc.de.nix @@ -0,0 +1,73 @@ +{ pkgs, ... }: + +let + domain = "infra-docs.hamburg.ccc.de"; + dataDir = "/var/www/${domain}"; + deployUser = "infra-docs-deploy"; +in { + services.nginx.virtualHosts = { + "acme-${domain}" = { + enableACME = true; + serverName = "${domain}"; + + listen = [ + { + addr = "[::]"; + port = 31820; + } + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + "${domain}" = { + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + root = "${dataDir}"; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + + port_in_redirect off; + ''; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${dataDir} 0755 ${deployUser} ${deployUser}" + ]; + + users.users."${deployUser}" = { + isNormalUser = true; + group = "${deployUser}"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINfwfy9f3R/tDOiUeG5DA9oIGDDEAP270MqFG3V1P11L deploy key for infra-docs" + ]; + }; + users.groups."${deployUser}" = { }; +} diff --git a/config/hosts/public-web-static/virtualHosts/staging.infra-docs.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.infra-docs.hamburg.ccc.de.nix new file mode 100644 index 0000000..7ed3d69 --- /dev/null +++ b/config/hosts/public-web-static/virtualHosts/staging.infra-docs.hamburg.ccc.de.nix @@ -0,0 +1,72 @@ +{ pkgs, ... }: + +let + domain = "staging.infra-docs.hamburg.ccc.de"; + dataDir = "/var/www/${domain}"; + deployUser = "infra-docs-deploy"; +in { + services.nginx.virtualHosts = { + "acme-${domain}" = { + enableACME = true; + serverName = "${domain}"; + + listen = [ + { + addr = "[::]"; + port = 31820; + } + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + "${domain}" = { + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "[::]"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + root = "${dataDir}"; + + # Disallow *, since this is staging and doesn't need to be in any search + # results. + locations."/robots.txt" = { + return = "200 \"User-agent: *\\nDisallow: *\\n\""; + }; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + + port_in_redirect off; + ''; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${dataDir} 0755 ${deployUser} ${deployUser}" + ]; + + # infra-docs deploy user already defined in infra-docs.hamburg.ccc.de.nix. +} From 9d3945e1892caaaaee65337a0e3c0d5996c73e5c Mon Sep 17 00:00:00 2001 From: June Date: Mon, 25 May 2026 02:30:12 +0200 Subject: [PATCH 12/12] hamburg.ccc.de: redirect old no olympia url to new one for compatibility --- .../public-web-static/virtualHosts/hamburg.ccc.de.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix index abbf5aa..8b2177c 100644 --- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix @@ -99,6 +99,14 @@ return = "302 https://cloud.hamburg.ccc.de/apps/calendar/embed/QJAdExziSnNJEz5g"; }; + # Redirects for blog post edits. + locations."/blog/2026/05/23/der-ccchh-sagt-nein-zu-olympia-in-hamburg" = { + return = "302 https://hamburg.ccc.de/blog/2026/05/31/der-ccchh-sagt-nein-zu-olympia-in-hamburg/"; + }; + locations."/blog/2026/05/23/der-ccchh-sagt-nein-zu-olympia-in-hamburg/" = { + return = "302 https://hamburg.ccc.de/blog/2026/05/31/der-ccchh-sagt-nein-zu-olympia-in-hamburg/"; + }; + extraConfig = '' # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy