wip

Flake lock file updates:

• Updated input 'nixos-generators':
    'github:nix-community/nixos-generators/ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc' (2025-05-19)
  → 'github:nix-community/nixos-generators/032decf9db65efed428afd2fa39d80f7089085eb' (2025-07-07)
• Updated input 'nixpkgs':
    'github:nixos/nixpkgs/c7ab75210cb8cb16ddd8f290755d9558edde7ee1' (2025-06-22)
  → 'github:nixos/nixpkgs/32a4e87942101f1c9f9865e04dc3ddb175f5f32e' (2025-07-15)
• Updated input 'sops-nix':
    'github:Mic92/sops-nix/77c423a03b9b2b79709ea2cb63336312e78b72e2' (2025-06-17)
  → 'github:Mic92/sops-nix/2c8def626f54708a9c38a5861866660395bb3461' (2025-07-15)

.sops.yaml

@@ -3,7 +3,7 @@ keys:
   - &admin_gpg_stb F155144FC925A1BEA1F8A2C59A2A4CD59BFDC5EC
   - &admin_gpg_jtbx 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
   - &admin_gpg_yuri 87AB00D45D37C9E9167B5A5A333448678B60E505
-  - &admin_gpg_june 91213ABAA73B0B73D3C02B5B4E5F372D17BBE67C
+  - &admin_gpg_june 057870A2C72CD82566A3EC983695F4FCBCAE4912
   - &admin_gpg_haegar F38C9D4228FC6F674E322D9C3326D914EB9B8F55
   - &admin_gpg_dario 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
   - &admin_gpg_echtnurich 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
@@ -32,7 +32,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_git
   - path_regex: config/hosts/forgejo-actions-runner/.*
@@ -48,7 +47,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_forgejo_actions_runner
   - path_regex: config/hosts/matrix/.*
@@ -64,7 +62,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_matrix
   - path_regex: config/hosts/public-web-static/.*
@@ -80,7 +77,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_public_web_static
   - path_regex: config/hosts/mjolnir/.*
@@ -96,7 +92,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_mjolnir
   - path_regex: config/hosts/woodpecker/.*
@@ -112,7 +107,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_woodpecker
   - path_regex: config/hosts/penpot/.*
@@ -128,7 +122,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_penpot
   - path_regex: config/hosts/yate/.*
@@ -144,7 +137,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
         age:
           - *host_age_yate
   - key_groups:
@@ -159,7 +151,6 @@ creation_rules:
           - *admin_gpg_echtnurich
           - *admin_gpg_max
           - *admin_gpg_c6ristian
-          - *admin_gpg_dante
 stores:
   yaml:
     indent: 2

config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix

@@ -0,0 +1,64 @@
+{ ... }:
+
+let
+  domain = "cryptoparty-hamburg.de";
+  dataDir = "/var/www/cryptoparty-hamburg.de";
+  deployUser = "cryptoparty-website-deploy";
+in
+{
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+
+        error_page 404 /404.html;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  users.users."${deployUser}" = {
+    isNormalUser = true;
+    group = "${deployUser}";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICz+Lxi9scblM/SKJq4nl64UwvVn8SuF2xmzOuyQrzR+ deploy key for cryptoparty-hamburg.de"
+    ];
+  };
+  users.groups."${deployUser}" = { };
+}

config/hosts/public-web-static/virtualHosts/default.nix

@@ -4,12 +4,14 @@
   imports = [
     ./branding-resources.hamburg.ccc.de.nix
     ./c3cat.de.nix
+    ./cryptoparty-hamburg.de.nix
     ./element.hamburg.ccc.de.nix
     ./hacker.tours.nix
     ./hackertours.hamburg.ccc.de.nix
     ./hamburg.ccc.de.nix
     ./spaceapi.hamburg.ccc.de.nix
     ./staging.c3cat.de.nix
+    ./staging.cryptoparty-hamburg.de.nix
     ./staging.hacker.tours.nix
     ./staging.hackertours.hamburg.ccc.de.nix
     ./staging.hamburg.ccc.de.nix

config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix

@@ -1,10 +1,10 @@
 { pkgs, ... }:
 
 let
-  elementWebVersion = "1.11.95";
+  elementWebVersion = "1.11.106";
   element-web = pkgs.fetchzip {
     url = "https://github.com/element-hq/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
-    sha256 = "sha256-Bs1oYfJ5xXNpQJL92U0/3s979DKfdSZsBo5febp4QGc=";
+    sha256 = "sha256-5E6za7G7Olia5VzOnBjYMeGJ2Xifqx+vDmCFgNLaRZo=";
   };
   elementSecurityHeaders = ''
     # Configuration best practices

config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix

@@ -0,0 +1,61 @@
+{ ... }:
+
+let
+  domain = "staging.cryptoparty-hamburg.de";
+  dataDir = "/var/www/staging.cryptoparty-hamburg.de";
+  deployUser = "cryptoparty-website-deploy";
+in
+{
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      # Disallow *, since this is staging and doesn't need to be in any search
+      # results.
+      locations."/robots.txt" = {
+        return = "200 \"User-agent: *\\nDisallow: *\\n\"";
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  # Cryptoparty website deploy user already defined in cryptoparty-hamburg.de.nix.
+}

flake.lock

@@ -35,11 +35,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1747663185,
-        "narHash": "sha256-Obh50J+O9jhUM/FgXtI3he/QRNiV9+J53+l+RlKSaAk=",
+        "lastModified": 1751903740,
+        "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=",
         "owner": "nix-community",
         "repo": "nixos-generators",
-        "rev": "ee07ba0d36c38e9915c55d2ac5a8fb0f05f2afcc",
+        "rev": "032decf9db65efed428afd2fa39d80f7089085eb",
         "type": "github"
       },
       "original": {
@@ -66,11 +66,11 @@
     },
     "nixpkgs_2": {
       "locked": {
-        "lastModified": 1749727998,
-        "narHash": "sha256-mHv/yeUbmL91/TvV95p+mBVahm9mdQMJoqaTVTALaFw=",
+        "lastModified": 1752620740,
+        "narHash": "sha256-f3pO+9lg66mV7IMmmIqG4PL3223TYMlnlw+pnpelbss=",
         "owner": "nixos",
         "repo": "nixpkgs",
-        "rev": "fd487183437963a59ba763c0cc4f27e3447dd6dd",
+        "rev": "32a4e87942101f1c9f9865e04dc3ddb175f5f32e",
         "type": "github"
       },
       "original": {
@@ -95,11 +95,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1747603214,
-        "narHash": "sha256-lAblXm0VwifYCJ/ILPXJwlz0qNY07DDYdLD+9H+Wc8o=",
+        "lastModified": 1752544651,
+        "narHash": "sha256-GllP7cmQu7zLZTs9z0J2gIL42IZHa9CBEXwBY9szT0U=",
         "owner": "Mic92",
         "repo": "sops-nix",
-        "rev": "8d215e1c981be3aa37e47aeabd4e61bb069548fd",
+        "rev": "2c8def626f54708a9c38a5861866660395bb3461",
         "type": "github"
       },
       "original": {