Compare commits

..

No commits in common. "a8229bfd0dff789ead94036c49f3338683e74f2e" and "f27d3ba1139aec51f10481bafb63f4ff2d902e90" have entirely different histories.

11 changed files with 84 additions and 230 deletions

View file

@ -15,29 +15,6 @@
tokenFile = "/run/secrets/forgejo_actions_runner_registration_token";
labels = [ "docker:docker://node:current-bookworm" ];
settings = {
cache = {
proxy_port = 45540;
};
runner = {
capacity = 4;
};
};
};
instances.ccchh-codeberg-org-diday = {
enable = true;
name = "ccchh runner for codeberg.org/di-day";
url = "https://codeberg.org/";
tokenFile = "/run/secrets/codeberg_org_diday_runner_registration_token";
labels = [
"docker:docker://node:current-bookworm"
"debian-latest:docker://node:current-bookworm"
"alpine-latest:docker://node:current-alpine"
];
settings = {
cache = {
proxy_port = 45541;
};
runner = {
capacity = 4;
};
@ -51,10 +28,4 @@
group = "root";
restartUnits = [ "gitea-runner-ccchh\\x2dforgejo\\x2dglobal\\x2ddocker.service" ];
};
sops.secrets."codeberg_org_diday_runner_registration_token" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "gitea-runner-ccchh\\x2dcodeberg\\x2dorg\\x2ddiday.service" ];
};
}

View file

@ -1,8 +1,6 @@
{ lib, config, ... }:
let
runnerInstances = lib.attrValues config.services.gitea-actions-runner.instances;
runnerCachePorts = lib.map (i: i.settings.cache.proxy_port) runnerInstances;
in {
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
@ -21,7 +19,4 @@ in {
matchConfig.MACAddress = "1E:E0:4E:D0:DA:BE";
linkConfig.Name = "net0";
};
# open ports for runner cache proxy so that we can use the cache action
networking.firewall.allowedTCPPorts = runnerCachePorts;
}

View file

@ -1,5 +1,4 @@
forgejo_actions_runner_registration_token: ENC[AES256_GCM,data:gAR2ffrffeuuaOwO6mWcif2e6csKIVoLqrux19iBlrTkFHgo/IlHVL0eSUGqnw==,iv:i12yx/quwT9kj6fPECszo/iG9cVhKX+7dAA6/N09URc=,tag:eO+mWhumgvWzQxYqiRUXbA==,type:str]
codeberg_org_diday_runner_registration_token: ENC[AES256_GCM,data:thTsLo/eXVPbXt4b8ldae+kGnOR4GbYKOqr1hVJgaL7wZ5GgqWSPcOuhow96Jw==,iv:Fzi+DsKj+4PrwQGEosUntm9l7s78NwzhkmF6e/sfF+s=,tag:oa7mnbGR0J5xi9ruCgRJtQ==,type:str]
sops:
age:
- recipient: age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d
@ -20,8 +19,8 @@ sops:
TklLZWM0cDBKaGJJM2tQQWRLZXhFYU0Ko7cyvzMvwlGCCP3UAX1+5uTI4srhZ5l9
DPaHySiC+rLy+8R9UqEuTKbP4/Aw4NZ/UcfjNnVkqqqNJIODmLoOhg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2026-02-18T09:51:37Z"
mac: ENC[AES256_GCM,data:4fWsE3U6WxRqlKHKC4ipE+RQ7MPjiZZcTFMSblxty7JjJHAdKUHbthFB+R8gIWxZEjX5WG+IPgUP+AcCLSI9fdcXMqIFMuDun2hiktwqxzLPGYAoCXdTBAd1uCUagvB/rFty6y8umD4J5ITgEGba9pvGdUcng9WVRV+LGDftS1g=,iv:tD9tlcylQWapNCARxPXrKofZXf2BHTt2c4PQqFNj6X8=,tag:pQ8lOqJEFCcCcJot3BYTmQ==,type:str]
lastmodified: "2024-05-26T00:29:52Z"
mac: ENC[AES256_GCM,data:c0261ungapxYViyviTpNsSJZs6OMQ8fyHNqBpvTBp9jEEbbvJBSbqJtwJvVDg8Kv3xrZjC0jZSQOWkvYJlb2PFuW2/GXy5YpLCo7k3ZhXhUbotsDFPe30bvfVxZWhMpaS2rEXlxCqHeVmqoslL34jpLuFx04FmoBh91yjDMoiTw=,iv:njo4Bu4FzAbU6t7CSbqw7hcJ960oqsIKuV/qUGF8c1I=,tag:dzFxW8vyZsDFkd/ARkt5jw==,type:str]
pgp:
- created_at: "2026-02-17T22:21:57Z"
enc: |-
@ -146,4 +145,4 @@ sops:
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
unencrypted_suffix: _unencrypted
version: 3.11.0
version: 3.8.1

View file

@ -0,0 +1,10 @@
{ config, pkgs, ... }:
{
networking = {
hostName = "public-reverse-proxy";
domain = "z9.ccchh.net";
};
system.stateVersion = "23.05";
}

View file

@ -0,0 +1,8 @@
{ config, pkgs, ... }:
{
imports = [
./configuration.nix
./nginx.nix
];
}

View file

@ -0,0 +1,51 @@
# Sources for this configuration:
# - https://nixos.wiki/wiki/Nginx
# - https://nixos.org/manual/nixos/stable/#sec-firewall
# - https://git.grzb.de/yuri/nix-infra/-/tree/3896d34f4f7f3b5dd5cbd270a14b56b102ef3a2a/hosts/web-public-2
{ config, pkgs, ... }:
{
services.nginx.appendHttpConfig = ''
map $host $upstream_acme_challenge_host {
club-assistant.ccchh.net 10.31.208.10;
netbox.ccchh.net 10.31.208.29:31820;
light.ccchh.net 10.31.208.23;
light-werkstatt.ccchh.net 10.31.208.23;
thinkcccore0.ccchh.net 10.31.242.3;
thinkcccore1.ccchh.net 10.31.242.4;
thinkcccore2.ccchh.net 10.31.242.5;
thinkcccore3.ccchh.net 10.31.242.6;
zigbee2mqtt.ccchh.net 10.31.208.25:31820;
esphome.ccchh.net 10.31.208.24:31820;
proxmox-backup-server.ccchh.net 10.31.208.28;
default "";
}
'';
services.nginx = {
enable = true;
virtualHosts."well-known_acme-challenge" = {
default = true;
listen = [{
addr = "0.0.0.0";
port = 80;
}];
locations."/.well-known/acme-challenge/" = {
proxyPass = "http://$upstream_acme_challenge_host";
};
# Better safe than sorry.
# Don't do a permanent redirect to avoid acme challenge pain.
locations."/" = {
return = "307 https://$host$request_uri";
};
};
};
networking.firewall.allowedTCPPorts = [ 80 443 ];
networking.firewall.allowedUDPPorts = [ 443 ];
}

View file

@ -5,11 +5,6 @@
enable = true;
appendHttpConfig = ''
access_log off;
# load the DI-Day redirect map from the webroot
map $request_uri $did_redirect_target {
include /var/www/did.hamburg.ccc.de/nginx-redirects.conf;
}
'';
};

View file

@ -18,8 +18,6 @@
./staging.hackertours.hamburg.ccc.de.nix
./staging.hamburg.ccc.de.nix
./www.hamburg.ccc.de.nix
./staging.did.hamburg.ccc.de.nix
./did.hamburg.ccc.de.nix
./historic-easterhegg
];
}

View file

@ -1,123 +0,0 @@
{ ... }:
let
domain = "did.hamburg.ccc.de";
dataDir = "/var/www/${domain}";
deployUser = "diday-website-deploy";
in
{
# security.acme.certs."${domain}".extraDomainNames = [];
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
error_page 404 /404.html;
port_in_redirect off;
index index.html;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
# return a redirect based on the map loaded from the webroot
if ($did_redirect_target ~ ^301:(.*)$) {
return 301 $1;
}
if ($did_redirect_target ~ ^302:(.*)$) {
return 302 $1;
}
# deny access to the redirects config file
location = /nginx-redirects.conf {
deny all;
return 404;
}
# dynamically redirect the user to the language they prefer
location = / {
set $lang "de";
if ($http_accept_language ~* "^en") {
set $lang "en";
}
return 302 /$lang/;
}
# configure decap-cms content-type and caching rules
location = /admin/cms.js {
expires -1;
add_header Cache-Control "no-store";
}
location = /admin/config.yml {
expires -1;
add_header Cache-Control "no-store";
types { }
default_type text/yaml;
}
# configure asset caching
location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
expires 1y;
add_header Cache-Control "public, immutable";
}
# we are using the Astro Image Pipeline, therefore DecapCMS can't access image previews
location /admin/src/ {
log_not_found off;
return 404;
}
location / {
try_files $uri $uri/ =404;
}
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBitESG5AvHnHLPo+kdsV5l+wzSTqCltkk0IFAWGqBcl codeberg-actions-runner"
];
};
users.groups."${deployUser}" = { };
}

View file

@ -1,59 +0,0 @@
{ ... }:
let
domain = "staging.did.hamburg.ccc.de";
dataDir = "/var/www/${domain}";
deployUser = "diday-website-deploy";
in
{
# security.acme.certs."${domain}".extraDomainNames = [];
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
error_page 404 /404.html;
port_in_redirect off;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
}

View file

@ -94,6 +94,15 @@
];
};
public-reverse-proxy = nixpkgs.lib.nixosSystem {
inherit system specialArgs;
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
./config/hosts/public-reverse-proxy
];
};
matrix = nixpkgs.lib.nixosSystem {
inherit system specialArgs;
modules = [