Compare commits
4 commits
e404d4740f
...
281ad152d6
Author | SHA1 | Date | |
---|---|---|---|
281ad152d6 | |||
39b73b0926 | |||
1283d7664f | |||
4978ffc758 |
6 changed files with 9 additions and 144 deletions
21
LICENSE
21
LICENSE
|
@ -1,21 +0,0 @@
|
||||||
MIT License
|
|
||||||
|
|
||||||
Copyright (c) CCCHH
|
|
||||||
|
|
||||||
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
||||||
of this software and associated documentation files (the "Software"), to deal
|
|
||||||
in the Software without restriction, including without limitation the rights
|
|
||||||
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
||||||
copies of the Software, and to permit persons to whom the Software is
|
|
||||||
furnished to do so, subject to the following conditions:
|
|
||||||
|
|
||||||
The above copyright notice and this permission notice shall be included in all
|
|
||||||
copies or substantial portions of the Software.
|
|
||||||
|
|
||||||
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
||||||
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
||||||
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
||||||
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
||||||
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
||||||
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
||||||
SOFTWARE.
|
|
|
@ -73,7 +73,3 @@ Build a new NixOS Proxmox VE Template for the chaosknoten:
|
||||||
```shell
|
```shell
|
||||||
nix build .#proxmox-chaosknoten-nixos-template
|
nix build .#proxmox-chaosknoten-nixos-template
|
||||||
```
|
```
|
||||||
|
|
||||||
## License
|
|
||||||
|
|
||||||
This CCCHH nix-infra repository is licensed under the [MIT License](./LICENSE).
|
|
||||||
|
|
|
@ -9,10 +9,10 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, pkgs, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
authorizedKeysRepo = builtins.fetchGit {
|
authorizedKeysRepo = pkgs.fetchgit {
|
||||||
url = "forgejo@git.hamburg.ccc.de:CCCHH/infrastructure-authorized-keys.git";
|
url = "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys";
|
||||||
ref = "trunk";
|
|
||||||
rev = "686a6af22f6696f0c0595c56f463c078550049fc";
|
rev = "686a6af22f6696f0c0595c56f463c078550049fc";
|
||||||
|
hash = "sha256-plTYjM6zPzoBE/dp6EUrk9mCqmab278p8FqBCTX8Grc=";
|
||||||
};
|
};
|
||||||
authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
|
authorizedKeys = builtins.filter (item: item != "") (lib.strings.splitString "\n" (builtins.readFile "${authorizedKeysRepo}/authorized_keys"));
|
||||||
in
|
in
|
||||||
|
|
|
@ -1,19 +1,10 @@
|
||||||
{ pkgs, ... }:
|
{ pkgs, ... }:
|
||||||
|
|
||||||
let
|
{
|
||||||
domain = "c3cat.de";
|
|
||||||
dataDir = "/var/www/${domain}";
|
|
||||||
deployUser = "c3cat-website-deploy";
|
|
||||||
in {
|
|
||||||
security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ];
|
|
||||||
|
|
||||||
services.nginx.virtualHosts = {
|
services.nginx.virtualHosts = {
|
||||||
"acme-${domain}" = {
|
"acme-c3cat.de" = {
|
||||||
enableACME = true;
|
enableACME = true;
|
||||||
serverName = "${domain}";
|
serverName = "c3cat.de";
|
||||||
serverAliases = [
|
|
||||||
"www.${domain}"
|
|
||||||
];
|
|
||||||
|
|
||||||
listen = [
|
listen = [
|
||||||
{
|
{
|
||||||
|
@ -23,9 +14,9 @@ in {
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
"$www.${domain}" = {
|
"c3cat.de" = {
|
||||||
forceSSL = true;
|
forceSSL = true;
|
||||||
useACMEHost = "${domain}";
|
useACMEHost = "c3cat.de";
|
||||||
|
|
||||||
listen = [
|
listen = [
|
||||||
{
|
{
|
||||||
|
@ -37,7 +28,7 @@ in {
|
||||||
];
|
];
|
||||||
|
|
||||||
locations."/" = {
|
locations."/" = {
|
||||||
return = "302 https://c3cat.de$request_uri";
|
return = "302 https://wiki.hamburg.ccc.de/club:c3cat:start";
|
||||||
};
|
};
|
||||||
|
|
||||||
extraConfig = ''
|
extraConfig = ''
|
||||||
|
@ -51,45 +42,5 @@ in {
|
||||||
real_ip_header proxy_protocol;
|
real_ip_header proxy_protocol;
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
"${domain}" = {
|
|
||||||
forceSSL = true;
|
|
||||||
useACMEHost = "${domain}";
|
|
||||||
|
|
||||||
listen = [
|
|
||||||
{
|
|
||||||
addr = "0.0.0.0";
|
|
||||||
port = 8443;
|
|
||||||
ssl = true;
|
|
||||||
proxyProtocol = true;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
root = "${dataDir}";
|
|
||||||
|
|
||||||
extraConfig = ''
|
|
||||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
|
||||||
# $remote_port to the client address and client port, when using proxy
|
|
||||||
# protocol.
|
|
||||||
# First set our proxy protocol proxy as trusted.
|
|
||||||
set_real_ip_from 172.31.17.140;
|
|
||||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
|
||||||
# header.
|
|
||||||
real_ip_header proxy_protocol;
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
};
|
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
|
||||||
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
|
|
||||||
];
|
|
||||||
|
|
||||||
users.users."${deployUser}" = {
|
|
||||||
isNormalUser = true;
|
|
||||||
group = "${deployUser}";
|
|
||||||
openssh.authorizedKeys.keys = [
|
|
||||||
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIcZJzQO4RYinJm6YDUgCELe8OJA/DYOss+8xp7TtxM0 deploy key for c3cat.de"
|
|
||||||
];
|
|
||||||
};
|
|
||||||
users.groups."${deployUser}" = { };
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,7 +9,6 @@
|
||||||
./hackertours.hamburg.ccc.de.nix
|
./hackertours.hamburg.ccc.de.nix
|
||||||
./hamburg.ccc.de.nix
|
./hamburg.ccc.de.nix
|
||||||
./spaceapi.hamburg.ccc.de.nix
|
./spaceapi.hamburg.ccc.de.nix
|
||||||
./staging.c3cat.de.nix
|
|
||||||
./staging.hacker.tours.nix
|
./staging.hacker.tours.nix
|
||||||
./staging.hackertours.hamburg.ccc.de.nix
|
./staging.hackertours.hamburg.ccc.de.nix
|
||||||
./staging.hamburg.ccc.de.nix
|
./staging.hamburg.ccc.de.nix
|
||||||
|
|
|
@ -1,60 +0,0 @@
|
||||||
{ pkgs, ... }:
|
|
||||||
|
|
||||||
let
|
|
||||||
domain = "staging.c3cat.de";
|
|
||||||
dataDir = "/var/www/${domain}";
|
|
||||||
deployUser = "c3cat-website-deploy";
|
|
||||||
in {
|
|
||||||
services.nginx.virtualHosts = {
|
|
||||||
"acme-${domain}" = {
|
|
||||||
enableACME = true;
|
|
||||||
serverName = "${domain}";
|
|
||||||
|
|
||||||
listen = [
|
|
||||||
{
|
|
||||||
addr = "0.0.0.0";
|
|
||||||
port = 31820;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
};
|
|
||||||
|
|
||||||
"${domain}" = {
|
|
||||||
forceSSL = true;
|
|
||||||
useACMEHost = "${domain}";
|
|
||||||
|
|
||||||
listen = [
|
|
||||||
{
|
|
||||||
addr = "0.0.0.0";
|
|
||||||
port = 8443;
|
|
||||||
ssl = true;
|
|
||||||
proxyProtocol = true;
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
root = "${dataDir}";
|
|
||||||
|
|
||||||
# Disallow *, since this is staging and doesn't need to be in any search
|
|
||||||
# results.
|
|
||||||
locations."/robots.txt" = {
|
|
||||||
return = "200 \"User-agent: *\\nDisallow: *\\n\"";
|
|
||||||
};
|
|
||||||
|
|
||||||
extraConfig = ''
|
|
||||||
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
|
||||||
# $remote_port to the client address and client port, when using proxy
|
|
||||||
# protocol.
|
|
||||||
# First set our proxy protocol proxy as trusted.
|
|
||||||
set_real_ip_from 172.31.17.140;
|
|
||||||
# Then tell the realip_module to get the addreses from the proxy protocol
|
|
||||||
# header.
|
|
||||||
real_ip_header proxy_protocol;
|
|
||||||
'';
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
systemd.tmpfiles.rules = [
|
|
||||||
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
|
|
||||||
];
|
|
||||||
|
|
||||||
# c3cat deploy user already defined in c3cat.de.nix.
|
|
||||||
}
|
|
Loading…
Reference in a new issue