fix typo and writing improvement

Do this to be in line with other places, where resources get fetched
using git and to hopefully avoid errors such as:
Cannot find Git revision 'da9d3ead9d97ce0fef7538638326264957e2f1b4' in ref 'trunk' of repository 'ssh://forgejo@git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys.git'! Please make sure that the rev exists on the ref you've specified or add allRefs = true; to fetchGit.
This issue was discovered while trying to make the new hydra work.

config/common/users.nix

@@ -9,10 +9,10 @@
 { config, pkgs, lib, ... }:
 
 let
-  authorizedKeysRepo = builtins.fetchGit {
+  authorizedKeysRepo = pkgs.fetchgit {
-    url = "forgejo@git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git";
+    url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys";
-    ref = "trunk";
+    rev = "b6a29dc7af0a45a8c0b4904290c7cb0c5bc51413";
-    rev = "da9d3ead9d97ce0fef7538638326264957e2f1b4";
+    hash = "sha256-c0aH0wQeJtfXJG5wAbS6aO8yILLI1NNkFAHAeOm8RXA=";
   };
   authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
 in

config/hosts/hydra/configuration.nix

@@ -0,0 +1,9 @@
+{ ... }:
+
+{
+  networking = {
+    hostName = "hydra";
+  };
+
+  system.stateVersion = "24.05";
+}

config/hosts/hydra/default.nix

@@ -0,0 +1,11 @@
+{ ... }:
+
+{
+  imports = [
+    ./configuration.nix
+    ./hydra.nix
+    ./networking.nix
+    ./nginx.nix
+    ./nix.nix
+  ];
+}

config/hosts/hydra/hydra.nix

@@ -0,0 +1,15 @@
+{ ... }:
+
+{
+  services.hydra = {
+    enable = true;
+    listenHost = "localhost";
+    port = 3000;
+    hydraURL = "https://hydra.hamburg.ccc.de/";
+    # E-Mail configuration requires some work/investigation still.
+    notificationSender = "no-reply@hydra.hamburg.ccc.de";
+    useSubstitutes = true;
+    minimumDiskFree = 8;
+    minimumDiskFreeEvaluator = 2;
+  };
+}

config/hosts/hydra/networking.nix

@@ -0,0 +1,22 @@
+{ ... }:
+
+{
+  networking = {
+    interfaces.net0 = {
+      ipv4.addresses = [
+        {
+          address = "172.31.17.163";
+          prefixLength = 25;
+        }
+      ];
+    };
+    defaultGateway = "172.31.17.129";
+    nameservers = [ "212.12.50.158" "192.76.134.90" ];
+    search = [ "hamburg.ccc.de" ];
+  };
+
+  systemd.network.links."10-net0" = {
+    matchConfig.MACAddress = "BC:24:11:45:7C:D6";
+    linkConfig.Name = "net0";
+  };
+}

config/hosts/hydra/nginx.nix

@@ -0,0 +1,58 @@
+{ config, pkgs, ... }:
+
+let
+  domain = "hydra.hamburg.ccc.de";
+in
+{
+  services.nginx = {
+    enable = true;
+
+    virtualHosts = {
+      "acme-${domain}" = {
+        default = true;
+        enableACME = true;
+        serverName = "${domain}";
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 31820;
+          }
+        ];
+      };
+
+      "${domain}" = {
+        default = true;
+        forceSSL = true;
+        useACMEHost = "${domain}";
+
+        listen = [
+          {
+            addr = "0.0.0.0";
+            port = 8443;
+            ssl = true;
+            proxyProtocol = true;
+          }
+        ];
+
+        locations."/" = {
+          proxyPass = "http://${config.services.hydra.listenHost}:${builtins.toString config.services.hydra.port}";
+        };
+
+        extraConfig = ''
+          # Make use of the ngx_http_realip_module to set the $remote_addr and
+          # $remote_port to the client address and client port, when using proxy
+          # protocol.
+          # First set our proxy protocol proxy as trusted.
+          set_real_ip_from 172.31.17.140;
+          # Then tell the realip_module to get the addreses from the proxy protocol
+          # header.
+          real_ip_header proxy_protocol;
+        '';
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
+  networking.firewall.allowedUDPPorts = [ 8443 ];
+}

config/hosts/hydra/nix.nix

@@ -0,0 +1,10 @@
+{ ... }:
+
+{
+  # Allow Hydra to fetch flake inputs.
+  nix.settings.allowed-uris = [
+    "github:"
+    "https://github.com/"
+    "https://git.hamburg.ccc.de/"
+  ];
+}

config/hosts/public-web-static/spaceapid-config/ccchh-dynamic.json

@@ -25,13 +25,13 @@
           ]
         }
       ],
-      "3d_printer_state": [
+      "ext_3d_printer_busy_state": [
         {
           "sensor_data": {
             "unit": "bool",
             "location": "Loetschlauch",
             "name": "mk4",
-            "description": "Prusa mk4 state"
+            "description": "Prusa mk4 busy state"
           },
           "allowed_credentials": [
             "club-assistant"
@@ -42,7 +42,31 @@
             "unit": "bool",
             "location": "Loetschlauch",
             "name": "mk3.5",
-            "description": "Prusa mk3.5 state"
+            "description": "Prusa mk3.5 busy state"
+          },
+          "allowed_credentials": [
+            "club-assistant"
+          ]
+        }
+      ],
+      "ext_3d_printer_minutes_remaining": [
+        {
+          "sensor_data": {
+            "unit": "minutes_remaining",
+            "location": "Loetschlauch",
+            "name": "mk4",
+            "description": "Prusa mk4 minutes remaining"
+          },
+          "allowed_credentials": [
+            "club-assistant"
+          ]
+        },
+        {
+          "sensor_data": {
+            "unit": "minutes_remaining",
+            "location": "Loetschlauch",
+            "name": "mk3.5",
+            "description": "Prusa mk3.5 minutes remaining"
           },
           "allowed_credentials": [
             "club-assistant"

config/hosts/public-web-static/virtualHosts/default.nix

@@ -6,9 +6,11 @@
     ./c3cat.de.nix
     ./element.hamburg.ccc.de.nix
     ./hacker.tours.nix
+    ./hackertours.hamburg.ccc.de.nix
     ./hamburg.ccc.de.nix
     ./spaceapi.hamburg.ccc.de.nix
     ./staging.hacker.tours.nix
+    ./staging.hackertours.hamburg.ccc.de.nix
     ./staging.hamburg.ccc.de.nix
     ./www.hamburg.ccc.de.nix
     ./historic-easterhegg

config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix

@@ -0,0 +1,68 @@
+{ pkgs, ... }:
+
+let
+  domain = "hackertours.hamburg.ccc.de";
+  dataDir = "/var/www/${domain}";
+  deployUser = "ht-ccchh-website-deploy";
+in {
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+
+        error_page 404 /404.html;
+
+        port_in_redirect off;
+
+        rewrite ^/(de|en)/tours$ /$1/37c3 redirect;
+        rewrite ^/(de|en)/tours/(.*)$ /$1/37c3/$2 redirect;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  users.users."${deployUser}" = {
+    isNormalUser = true;
+    group = "${deployUser}";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILxMnllgRD6W85IQ0WrVJSwr7dKM8PLNK4pmGaJRu0OR deploy key for hackertours.hamburg.ccc.de"
+    ];
+  };
+  users.groups."${deployUser}" = { };
+}

config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix

@@ -94,6 +94,8 @@
         real_ip_header proxy_protocol;
 
         error_page 404 /404.html;
+
+        port_in_redirect off;
       '';
     };
   };

config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix

@@ -71,6 +71,11 @@ in
         root = "${eh20}/wiki_siteexport";
       };
 
+      # redirect doku.php?id=$pagename to /$pagename.html
+      locations."/doku.php" = {
+        return = "301 $scheme://$host/$arg_id.html";
+      };
+
       extraConfig = ''
         # Make use of the ngx_http_realip_module to set the $remote_addr and
         # $remote_port to the client address and client port, when using proxy

config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix

@@ -0,0 +1,62 @@
+{ pkgs, ... }:
+
+let
+  domain = "staging.hackertours.hamburg.ccc.de";
+  dataDir = "/var/www/${domain}";
+  deployUser = "ht-ccchh-website-deploy";
+in {
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      # Disallow *, since this is staging and doesn't need to be in any search
+      # results.
+      locations."/robots.txt" = {
+        return = "200 \"User-agent: *\\nDisallow: *\\n\"";
+      };
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+
+        error_page 404 /404.html;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  # Hackertours CCCHH deploy user already defined in hackertours.hamburg.ccc.de.nix.
+}

config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix

@@ -44,6 +44,8 @@
         # Then tell the realip_module to get the addreses from the proxy protocol
         # header.
         real_ip_header proxy_protocol;
+
+        port_in_redirect off;
       '';
     };
   };

deployment_configuration.json

@@ -32,6 +32,9 @@
     },
     "penpot": {
       "targetHostname": "penpot-intern.hamburg.ccc.de"
+    },
+    "hydra": {
+      "targetHostname": "hydra-intern.hamburg.ccc.de"
     }
   }
 }

flake.nix

@@ -23,7 +23,7 @@
     };
   };
 
-  outputs = { nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
+  outputs = { self, nixpkgs, nixpkgs-unstable, nixos-generators, sops-nix, ... }:
     let
       system = "x86_64-linux";
       # Shairport Sync 4.3.1 (with nqptp 1.2.4) with metadata, MQTT and AirPlay 2 support.
@@ -254,6 +254,16 @@
             ./config/hosts/penpot
           ];
         };
+
+        hydra = nixpkgs.lib.nixosSystem {
+          inherit system;
+          modules = [
+            ./config/common
+            ./config/proxmox-vm
+            ./config/extra/prometheus-exporter.nix
+            ./config/hosts/hydra
+          ];
+        };
       };
 
       packages.x86_64-linux = {
@@ -280,5 +290,10 @@
       };
 
       formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
+
+      hydraJobs = {
+        inherit (self) packages;
+        nixosConfigurations = builtins.mapAttrs (name: value: value.config.system.build.toplevel) self.nixosConfigurations;
+      };
     };
 }