From 6a4960066d550781b8494205312c4795588bb420 Mon Sep 17 00:00:00 2001 From: jopejoe1 Date: Sat, 6 Dec 2025 21:15:41 +0100 Subject: [PATCH 01/16] shairport-sync: use settings module instead of custom text string --- modules/services/audio/shairport-sync.nix | 60 +++++++++-------------- 1 file changed, 23 insertions(+), 37 deletions(-) diff --git a/modules/services/audio/shairport-sync.nix b/modules/services/audio/shairport-sync.nix index 43d1285..f02485f 100644 --- a/modules/services/audio/shairport-sync.nix +++ b/modules/services/audio/shairport-sync.nix @@ -18,47 +18,33 @@ in services.shairport-sync = { enable = true; package = pkgs.shairport-sync-airplay2; - arguments = "-o pw -v"; + settings = { + diagnostics = { + log_verbosity = 1; + }; + general = { + name = cfg.name; + output_backend = "pw"; + }; + metadata = { + enabled = "yes"; + include_cover_art = "yes"; + cover_art_cache_directory = "/tmp/shairport-sync/.cache/coverart"; + pipe_name = "/tmp/shairport-sync-metadata"; + pipe_timeout = 5000; + }; + mqtt = { + enabled = "yes"; + hostname = "mqtt.ccchh.net"; + port = 1883; + publish_parsed = "yes"; + publish_cover = "yes"; + }; + }; }; users.users.shairport.extraGroups = [ "pipewire" "audio" ]; - environment.etc.shairport-sync-config = { - enable = true; - text = '' - // Config for MQTT and metadata. - // For reference see: - // https://github.com/mikebrady/shairport-sync/blob/8c607e2d61ea5fde8ed0b48b2471a543840c31e6/scripts/shairport-sync.conf - // https://github.com/mikebrady/shairport-sync/blob/0f0f65b67649d4a25d06f13b56a6077a90b0f6cc/MQTT.md - general = - { - name = "${cfg.name}"; - } - - metadata = - { - enabled = "yes"; // set this to yes to get Shairport Sync to solicit metadata from the source and to pass it on via a pipe - include_cover_art = "yes"; // set to "yes" to get Shairport Sync to solicit cover art from the source and pass it via the pipe. You must also set "enabled" to "yes". - cover_art_cache_directory = "/tmp/shairport-sync/.cache/coverart"; // artwork will be stored in this directory if the dbus or MPRIS interfaces are enabled or if the MQTT client is in use. Set it to "" to prevent caching, which may be useful on some systems - pipe_name = "/tmp/shairport-sync-metadata"; - pipe_timeout = 5000; // wait for this number of milliseconds for a blocked pipe to unblock before giving up - }; - - - mqtt = - { - enabled = "yes"; // set this to yes to enable the mqtt-metadata-service - hostname = "mqtt.ccchh.net"; // Hostname of the MQTT Broker - port = 1883; // Port on the MQTT Broker to connect to - // publish_raw = "no"; //whether to publish all available metadata under the codes given in the 'metadata' docs. - publish_parsed = "yes"; //whether to publish a small (but useful) subset of metadata under human-understandable topics - publish_cover = "yes"; //whether to publish the cover over mqtt in binary form. This may lead to a bit of load on the broker - // enable_remote = "yes"; //whether to remote control via MQTT. RC is available under `topic`/remote. - }; - ''; - target = "shairport-sync.conf"; - }; - systemd.services.shairport-sync = { serviceConfig = { Restart = "on-failure"; From b16f0190e0e33c41a7c0dd761bc416242048c6a8 Mon Sep 17 00:00:00 2001 From: June Date: Sat, 27 Dec 2025 23:21:35 +0100 Subject: [PATCH 02/16] disable nixos-generators input as its broken a. makes infra-rebuild fail --- flake.lock | 65 ++++++------------------------------------------------ flake.nix | 60 ++++++++++++++++++++++++------------------------- 2 files changed, 37 insertions(+), 88 deletions(-) diff --git a/flake.lock b/flake.lock index 3d624db..76a3fc3 100644 --- a/flake.lock +++ b/flake.lock @@ -17,52 +17,18 @@ "url": "https://git.hamburg.ccc.de/CCCHH/infrastructure-authorized-keys" } }, - "nixlib": { - "locked": { - "lastModified": 1736643958, - "narHash": "sha256-tmpqTSWVRJVhpvfSN9KXBvKEXplrwKnSZNAoNPf/S/s=", - "owner": "nix-community", - "repo": "nixpkgs.lib", - "rev": "1418bc28a52126761c02dd3d89b2d8ca0f521181", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixpkgs.lib", - "type": "github" - } - }, - "nixos-generators": { - "inputs": { - "nixlib": "nixlib", - "nixpkgs": "nixpkgs" - }, - "locked": { - "lastModified": 1751903740, - "narHash": "sha256-PeSkNMvkpEvts+9DjFiop1iT2JuBpyknmBUs0Un0a4I=", - "owner": "nix-community", - "repo": "nixos-generators", - "rev": "032decf9db65efed428afd2fa39d80f7089085eb", - "type": "github" - }, - "original": { - "owner": "nix-community", - "repo": "nixos-generators", - "type": "github" - } - }, "nixpkgs": { "locked": { - "lastModified": 1736657626, - "narHash": "sha256-FWlPMUzp0lkQBdhKlPqtQdqmp+/C+1MBiEytaYfrCTY=", - "owner": "NixOS", + "lastModified": 1761173472, + "narHash": "sha256-m9W0dYXflzeGgKNravKJvTMR4Qqa2MVD11AwlGMufeE=", + "owner": "nixos", "repo": "nixpkgs", - "rev": "2f9e2f85cb14a46410a1399aa9ea7ecf433e422e", + "rev": "c8aa8cc00a5cb57fada0851a038d35c08a36a2bb", "type": "github" }, "original": { - "owner": "NixOS", - "ref": "nixpkgs-unstable", + "owner": "nixos", + "ref": "nixos-25.05", "repo": "nixpkgs", "type": "github" } @@ -83,27 +49,10 @@ "type": "github" } }, - "nixpkgs_2": { - "locked": { - "lastModified": 1761173472, - "narHash": "sha256-m9W0dYXflzeGgKNravKJvTMR4Qqa2MVD11AwlGMufeE=", - "owner": "nixos", - "repo": "nixpkgs", - "rev": "c8aa8cc00a5cb57fada0851a038d35c08a36a2bb", - "type": "github" - }, - "original": { - "owner": "nixos", - "ref": "nixos-25.05", - "repo": "nixpkgs", - "type": "github" - } - }, "root": { "inputs": { "authorizedKeysRepo": "authorizedKeysRepo", - "nixos-generators": "nixos-generators", - "nixpkgs": "nixpkgs_2", + "nixpkgs": "nixpkgs", "nixpkgs-unstable": "nixpkgs-unstable", "sops-nix": "sops-nix" } diff --git a/flake.nix b/flake.nix index 3901c78..be9e8fb 100644 --- a/flake.nix +++ b/flake.nix @@ -8,12 +8,12 @@ nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable"; - # Add nixos-generators as an input. - # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake - nixos-generators = { - url = "github:nix-community/nixos-generators"; - #inputs.nixpkgs.follows = "nixpkgs"; - }; + # # Add nixos-generators as an input. + # # See here: https://github.com/nix-community/nixos-generators#using-in-a-flake + # nixos-generators = { + # url = "github:nix-community/nixos-generators"; + # #inputs.nixpkgs.follows = "nixpkgs"; + # }; # Add sops-nix as an input for secret management. # See here: https://github.com/Mic92/sops-nix?tab=readme-ov-file#flakes-current-recommendation @@ -28,7 +28,7 @@ }; }; - outputs = { self, nixpkgs, nixos-generators, nixpkgs-unstable, sops-nix, authorizedKeysRepo, ... }: + outputs = { self, nixpkgs, nixpkgs-unstable, sops-nix, authorizedKeysRepo, ... }: let specialArgs = { inherit authorizedKeysRepo; @@ -233,30 +233,30 @@ }; }; - packages.x86_64-linux = { - proxmox-nixos-template = nixos-generators.nixosGenerate { - inherit specialArgs; - system = "x86_64-linux"; - modules = [ - ./config/nixos-generators/proxmox.nix - self.nixosModules.common - self.nixosModules.proxmox-vm - ]; - format = "proxmox"; - }; + # packages.x86_64-linux = { + # proxmox-nixos-template = nixos-generators.nixosGenerate { + # inherit specialArgs; + # system = "x86_64-linux"; + # modules = [ + # ./config/nixos-generators/proxmox.nix + # self.nixosModules.common + # self.nixosModules.proxmox-vm + # ]; + # format = "proxmox"; + # }; - proxmox-chaosknoten-nixos-template = nixos-generators.nixosGenerate { - inherit specialArgs; - system = "x86_64-linux"; - modules = [ - ./config/nixos-generators/proxmox-chaosknoten.nix - ./config/proxmox-chaosknoten-additional-initial-config.nix - self.nixosModules.common - self.nixosModules.proxmox-vm - ]; - format = "proxmox"; - }; - }; + # proxmox-chaosknoten-nixos-template = nixos-generators.nixosGenerate { + # inherit specialArgs; + # system = "x86_64-linux"; + # modules = [ + # ./config/nixos-generators/proxmox-chaosknoten.nix + # ./config/proxmox-chaosknoten-additional-initial-config.nix + # self.nixosModules.common + # self.nixosModules.proxmox-vm + # ]; + # format = "proxmox"; + # }; + # }; formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; From 971274b473e6384c88d2262e71d1dbf65dde67f7 Mon Sep 17 00:00:00 2001 From: ViMaSter Date: Fri, 26 Dec 2025 19:54:29 +0100 Subject: [PATCH 03/16] feat: Adds a shortcode to the shop --- config/hosts/public-web-static/virtualHosts/hacker.tours.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix index 1ee6180..20bb644 100644 --- a/config/hosts/public-web-static/virtualHosts/hacker.tours.nix +++ b/config/hosts/public-web-static/virtualHosts/hacker.tours.nix @@ -22,6 +22,10 @@ in "${domain}" = { forceSSL = true; useACMEHost = "${domain}"; + + locations."/shop" = { + return = "302 https://tickets.hamburg.ccc.de"; + }; listen = [ { From c9e27a5bb6ad80362a2cb573a36045532200d806 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 7 Jan 2026 19:20:50 +0100 Subject: [PATCH 04/16] mjolnir: use cloud-init for network configuration and move to new net. Switch to cloud-init to align with the Ansible infra. Also move to new network and hostname. --- config/hosts/mjolnir/networking.nix | 28 +++++++++++++++++----------- deployment_configuration.json | 2 +- 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/config/hosts/mjolnir/networking.nix b/config/hosts/mjolnir/networking.nix index a441814..4d4693d 100644 --- a/config/hosts/mjolnir/networking.nix +++ b/config/hosts/mjolnir/networking.nix @@ -1,18 +1,24 @@ { ... }: { - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "172.31.17.161"; - prefixLength = 25; - } + networking.useDHCP = false; + + services.cloud-init = { + enable = true; + network.enable = true; + + # Version without ssh of: + # https://github.com/NixOS/nixpkgs/blob/3c9db02515ef1d9b6b709fc60ba9a540957f661c/nixos/modules/services/system/cloud-init.nix#L145 + # So we don't get ssh hostkey regenerations. + settings.cloud_config_modules = [ + "disk_setup" + "mounts" + "ssh-import-id" + "set-passwords" + "timezone" + "disable-ec2-metadata" + "runcmd" ]; - }; - defaultGateway = "172.31.17.129"; - nameservers = [ "212.12.50.158" "192.76.134.90" ]; - search = [ "hamburg.ccc.de" ]; }; systemd.network.links."10-net0" = { diff --git a/deployment_configuration.json b/deployment_configuration.json index 9c2f99a..929f2be 100644 --- a/deployment_configuration.json +++ b/deployment_configuration.json @@ -16,7 +16,7 @@ "targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de" }, "mjolnir": { - "targetHostname": "mjolnir-intern.hamburg.ccc.de" + "targetHostname": "mjolnir.hosts.hamburg.ccc.de" }, "woodpecker": { "targetHostname": "woodpecker-intern.hamburg.ccc.de" From 79952f8c63bd91d4edfc8baf1f140d91252e3cf1 Mon Sep 17 00:00:00 2001 From: June Date: Sat, 17 Jan 2026 22:06:24 +0100 Subject: [PATCH 05/16] hydra: remove hydra as its being decommissioned nix-infra is built back in general, so remove hydra as well. --- config/hosts/hydra/configuration.nix | 9 ----- config/hosts/hydra/default.nix | 11 ------ config/hosts/hydra/hydra.nix | 15 ------- config/hosts/hydra/networking.nix | 22 ----------- config/hosts/hydra/nginx.nix | 58 ---------------------------- config/hosts/hydra/nix.nix | 10 ----- 6 files changed, 125 deletions(-) delete mode 100644 config/hosts/hydra/configuration.nix delete mode 100644 config/hosts/hydra/default.nix delete mode 100644 config/hosts/hydra/hydra.nix delete mode 100644 config/hosts/hydra/networking.nix delete mode 100644 config/hosts/hydra/nginx.nix delete mode 100644 config/hosts/hydra/nix.nix diff --git a/config/hosts/hydra/configuration.nix b/config/hosts/hydra/configuration.nix deleted file mode 100644 index a4c612e..0000000 --- a/config/hosts/hydra/configuration.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: - -{ - networking = { - hostName = "hydra"; - }; - - system.stateVersion = "24.05"; -} diff --git a/config/hosts/hydra/default.nix b/config/hosts/hydra/default.nix deleted file mode 100644 index f621711..0000000 --- a/config/hosts/hydra/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ ... }: - -{ - imports = [ - ./configuration.nix - ./hydra.nix - ./networking.nix - ./nginx.nix - ./nix.nix - ]; -} diff --git a/config/hosts/hydra/hydra.nix b/config/hosts/hydra/hydra.nix deleted file mode 100644 index f315710..0000000 --- a/config/hosts/hydra/hydra.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ ... }: - -{ - services.hydra = { - enable = true; - listenHost = "localhost"; - port = 3000; - hydraURL = "https://hydra.hamburg.ccc.de/"; - # E-Mail configuration requires some work/investigation still. - notificationSender = "no-reply@hydra.hamburg.ccc.de"; - useSubstitutes = true; - minimumDiskFree = 8; - minimumDiskFreeEvaluator = 2; - }; -} diff --git a/config/hosts/hydra/networking.nix b/config/hosts/hydra/networking.nix deleted file mode 100644 index 82cec55..0000000 --- a/config/hosts/hydra/networking.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "172.31.17.163"; - prefixLength = 25; - } - ]; - }; - defaultGateway = "172.31.17.129"; - nameservers = [ "212.12.50.158" "192.76.134.90" ]; - search = [ "hamburg.ccc.de" ]; - }; - - systemd.network.links."10-net0" = { - matchConfig.MACAddress = "BC:24:11:45:7C:D6"; - linkConfig.Name = "net0"; - }; -} diff --git a/config/hosts/hydra/nginx.nix b/config/hosts/hydra/nginx.nix deleted file mode 100644 index 49ca2e1..0000000 --- a/config/hosts/hydra/nginx.nix +++ /dev/null @@ -1,58 +0,0 @@ -{ config, pkgs, ... }: - -let - domain = "hydra.hamburg.ccc.de"; -in -{ - services.nginx = { - enable = true; - - virtualHosts = { - "acme-${domain}" = { - default = true; - enableACME = true; - serverName = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - "${domain}" = { - default = true; - forceSSL = true; - useACMEHost = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - locations."/" = { - proxyPass = "http://${config.services.hydra.listenHost}:${builtins.toString config.services.hydra.port}"; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 8443 31820 ]; - networking.firewall.allowedUDPPorts = [ 8443 ]; -} diff --git a/config/hosts/hydra/nix.nix b/config/hosts/hydra/nix.nix deleted file mode 100644 index b95e469..0000000 --- a/config/hosts/hydra/nix.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: - -{ - # Allow Hydra to fetch flake inputs. - nix.settings.allowed-uris = [ - "github:" - "https://github.com/" - "https://git.hamburg.ccc.de/" - ]; -} From 28d82f149d296155dfaf04c9aab8ecd2ab89a871 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 21:09:15 +0100 Subject: [PATCH 06/16] status: remove status as it got replaced by a ansible-managed Gatus --- config/hosts/public-reverse-proxy/nginx.nix | 17 --- config/hosts/status/configuration.nix | 10 -- config/hosts/status/default.nix | 10 -- config/hosts/status/networking.nix | 29 ---- config/hosts/status/nginx.nix | 149 -------------------- config/hosts/status/uptime-kuma.nix | 7 - flake.nix | 10 -- 7 files changed, 232 deletions(-) delete mode 100644 config/hosts/status/configuration.nix delete mode 100644 config/hosts/status/default.nix delete mode 100644 config/hosts/status/networking.nix delete mode 100644 config/hosts/status/nginx.nix delete mode 100644 config/hosts/status/uptime-kuma.nix diff --git a/config/hosts/public-reverse-proxy/nginx.nix b/config/hosts/public-reverse-proxy/nginx.nix index 507b71a..68c30c2 100644 --- a/config/hosts/public-reverse-proxy/nginx.nix +++ b/config/hosts/public-reverse-proxy/nginx.nix @@ -6,22 +6,6 @@ { config, pkgs, ... }: { - services.nginx.streamConfig = '' - map $ssl_preread_server_name $address { - status.ccchh.net 10.31.206.15:8443; - status.hamburg.ccc.de 10.31.206.15:8443; - } - - # Listen on port 443 as a reverse proxy and use PROXY Protocol for the - # upstreams. - server { - listen 0.0.0.0:443; - proxy_pass $address; - ssl_preread on; - proxy_protocol on; - } - ''; - services.nginx.appendHttpConfig = '' map $host $upstream_acme_challenge_host { club-assistant.ccchh.net 10.31.208.10; @@ -35,7 +19,6 @@ zigbee2mqtt.ccchh.net 10.31.208.25:31820; esphome.ccchh.net 10.31.208.24:31820; proxmox-backup-server.ccchh.net 10.31.208.28; - status.ccchh.net 10.31.206.15:31820; default ""; } ''; diff --git a/config/hosts/status/configuration.nix b/config/hosts/status/configuration.nix deleted file mode 100644 index c36dc63..0000000 --- a/config/hosts/status/configuration.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: - -{ - networking = { - hostName = "status"; - domain = "z9.ccchh.net"; - }; - - system.stateVersion = "24.05"; -} diff --git a/config/hosts/status/default.nix b/config/hosts/status/default.nix deleted file mode 100644 index d8644c5..0000000 --- a/config/hosts/status/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: - -{ - imports = [ - ./configuration.nix - ./networking.nix - ./nginx.nix - ./uptime-kuma.nix - ]; -} diff --git a/config/hosts/status/networking.nix b/config/hosts/status/networking.nix deleted file mode 100644 index 0bff4b5..0000000 --- a/config/hosts/status/networking.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "10.31.206.15"; - prefixLength = 23; - } - ]; - ipv6.addresses = [ - { - address = "2a07:c481:1:ce::a"; - prefixLength = 64; - } - ]; - }; - defaultGateway = "10.31.206.1"; - defaultGateway6 = "2a07:c481:1:ce::1"; - nameservers = [ "10.31.206.1" "2a07:c481:1:ce::1" ]; - search = [ "z9.ccchh.net" ]; - }; - - systemd.network.links."10-net0" = { - matchConfig.MACAddress = "BC:24:11:79:D3:E1"; - linkConfig.Name = "net0"; - }; -} diff --git a/config/hosts/status/nginx.nix b/config/hosts/status/nginx.nix deleted file mode 100644 index 8eff61c..0000000 --- a/config/hosts/status/nginx.nix +++ /dev/null @@ -1,149 +0,0 @@ -# Sources for this configuration: -# - https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy - -{ config, ... }: - -{ - services.nginx = { - enable = true; - - virtualHosts = { - "status.hamburg.ccc.de" = { - forceSSL = true; - enableACME = true; - serverName = "status.hamburg.ccc.de"; - - listen = [ - { - addr = "[::]"; - port = 80; - } - { - addr = "[::]"; - port = 443; - ssl = true; - } - ]; - - locations."/" = { - proxyPass = "http://localhost:3001"; - proxyWebsockets = true; - }; - }; - "status-proxyprotocol.hamburg.ccc.de" = { - forceSSL = true; - useACMEHost = "status.hamburg.ccc.de"; - serverName = "status.hamburg.ccc.de"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - locations."/" = { - proxyPass = "http://localhost:3001"; - proxyWebsockets = true; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 10.31.206.11; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - "status.ccchh.net" = { - forceSSL = true; - useACMEHost = "status.hamburg.ccc.de"; - serverName = "status.ccchh.net"; - - listen = [ - { - addr = "[::]"; - port = 80; - } - { - addr = "[::]"; - port = 443; - ssl = true; - } - ]; - - globalRedirect = "status.hamburg.ccc.de"; - redirectCode = 307; - }; - "status-proxyprotocol.ccchh.net" = { - forceSSL = true; - useACMEHost = "status.hamburg.ccc.de"; - serverName = "status.ccchh.net"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - globalRedirect = "status.hamburg.ccc.de"; - redirectCode = 307; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 10.31.206.11; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - "status.z9.ccchh.net" = { - forceSSL = true; - useACMEHost = "status.hamburg.ccc.de"; - serverName = "status.z9.ccchh.net"; - - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "[::]"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - { - addr = "[::]"; - port = 443; - ssl = true; - } - ]; - - globalRedirect = "status.hamburg.ccc.de"; - redirectCode = 307; - }; - }; - }; - - security.acme.certs."status.hamburg.ccc.de".extraDomainNames = [ - "status.ccchh.net" - "status.z9.ccchh.net" - ]; - - networking.firewall.allowedTCPPorts = [ 80 443 8443 ]; -} diff --git a/config/hosts/status/uptime-kuma.nix b/config/hosts/status/uptime-kuma.nix deleted file mode 100644 index 02411f2..0000000 --- a/config/hosts/status/uptime-kuma.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: - -{ - services.uptime-kuma = { - enable = true; - }; -} diff --git a/flake.nix b/flake.nix index be9e8fb..ccd35db 100644 --- a/flake.nix +++ b/flake.nix @@ -201,16 +201,6 @@ ]; }; - status = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - sops-nix.nixosModules.sops - ./config/hosts/status - ]; - }; - penpot = nixpkgs.lib.nixosSystem { inherit system specialArgs; modules = [ From e51e6319187b4507747755db57b91f86040a85f9 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 21:45:50 +0100 Subject: [PATCH 07/16] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:nixos/nixpkgs/c8aa8cc00a5cb57fada0851a038d35c08a36a2bb' (2025-10-22) → 'github:nixos/nixpkgs/ac62194c3917d5f474c1a844b6fd6da2db95077d' (2026-01-02) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/02f2cb8e0feb4596d20cc52fda73ccee960e3538' (2025-10-24) → 'github:nixos/nixpkgs/3327b113f2ef698d380df83fbccefad7e83d7769' (2026-01-17) • Updated input 'sops-nix': 'github:Mic92/sops-nix/5a7d18b5c55642df5c432aadb757140edfeb70b3' (2025-10-20) → 'github:Mic92/sops-nix/5e8fae80726b66e9fec023d21cd3b3e638597aa9' (2026-01-18) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 76a3fc3..fce4089 100644 --- a/flake.lock +++ b/flake.lock @@ -19,11 +19,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1761173472, - "narHash": "sha256-m9W0dYXflzeGgKNravKJvTMR4Qqa2MVD11AwlGMufeE=", + "lastModified": 1767313136, + "narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c8aa8cc00a5cb57fada0851a038d35c08a36a2bb", + "rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d", "type": "github" }, "original": { @@ -35,11 +35,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1761349956, - "narHash": "sha256-tH3wHnOJms+U4k/rK2Nn1RfBrhffX92jLP/2VndSn0w=", + "lastModified": 1768661221, + "narHash": "sha256-MJwOjrIISfOpdI9x4C+5WFQXvHtOuj5mqLZ4TMEtk1M=", "owner": "nixos", "repo": "nixpkgs", - "rev": "02f2cb8e0feb4596d20cc52fda73ccee960e3538", + "rev": "3327b113f2ef698d380df83fbccefad7e83d7769", "type": "github" }, "original": { @@ -64,11 +64,11 @@ ] }, "locked": { - "lastModified": 1760998189, - "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=", + "lastModified": 1768709255, + "narHash": "sha256-aigyBfxI20FRtqajVMYXHtj5gHXENY2gLAXEhfJ8/WM=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3", + "rev": "5e8fae80726b66e9fec023d21cd3b3e638597aa9", "type": "github" }, "original": { From 0ea41b3141f373bbe9388110c245500a21963f70 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 21:58:56 +0100 Subject: [PATCH 08/16] remove more hydra-related config --- deployment_configuration.json | 3 --- flake.nix | 15 --------------- 2 files changed, 18 deletions(-) diff --git a/deployment_configuration.json b/deployment_configuration.json index 929f2be..1bb46e7 100644 --- a/deployment_configuration.json +++ b/deployment_configuration.json @@ -23,9 +23,6 @@ }, "penpot": { "targetHostname": "penpot-intern.hamburg.ccc.de" - }, - "hydra": { - "targetHostname": "hydra-intern.hamburg.ccc.de" } } } diff --git a/flake.nix b/flake.nix index ccd35db..bee5868 100644 --- a/flake.nix +++ b/flake.nix @@ -211,16 +211,6 @@ ./config/hosts/penpot ]; }; - - hydra = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - self.nixosModules.prometheus-exporter - ./config/hosts/hydra - ]; - }; }; # packages.x86_64-linux = { @@ -249,10 +239,5 @@ # }; formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; - - hydraJobs = { - inherit (self) packages; - nixosConfigurations = builtins.mapAttrs (name: value: value.config.system.build.toplevel) self.nixosConfigurations; - }; }; } From 30b6d54f953501331ebf9cc5cffb2c8b464a5fc5 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 22:48:13 +0100 Subject: [PATCH 09/16] Upgrade to NixOS 25.11 mjolnir seems to be broken. --- flake.lock | 8 ++++---- flake.nix | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index fce4089..3230d75 100644 --- a/flake.lock +++ b/flake.lock @@ -19,16 +19,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1767313136, - "narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=", + "lastModified": 1768621446, + "narHash": "sha256-6YwHV1cjv6arXdF/PQc365h1j+Qje3Pydk501Rm4Q+4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d", + "rev": "72ac591e737060deab2b86d6952babd1f896d7c5", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-25.05", + "ref": "nixos-25.11", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index bee5868..fb48d3f 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,7 @@ # Use the NixOS small channels for nixpkgs. # https://nixos.org/manual/nixos/stable/#sec-upgrading # https://github.com/NixOS/nixpkgs - nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable"; # # Add nixos-generators as an input. From 827c46941515c3e3a83400bbe68f412d6ed39662 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 22:49:43 +0100 Subject: [PATCH 10/16] forgejo-actions-runner: forgejo-actions-runner is forgejo-runner now Also use package from stable instead of unstable. --- .../hosts/forgejo-actions-runner/forgejo-actions-runner.nix | 4 ++-- flake.nix | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix index 24e1472..376fde6 100644 --- a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix +++ b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix @@ -3,11 +3,11 @@ # - https://forgejo.org/docs/latest/user/actions/ # - https://docs.gitea.com/next/usage/actions/act-runner -{ config, pkgs-unstable, ... }: +{ config, pkgs, ... }: { services.gitea-actions-runner = { - package = pkgs-unstable.forgejo-actions-runner; + package = pkgs.forgejo-runner; instances.ccchh-forgejo-global-docker = { enable = true; name = "Global Docker Forgejo Actions Runner"; diff --git a/flake.nix b/flake.nix index fb48d3f..e976c25 100644 --- a/flake.nix +++ b/flake.nix @@ -147,7 +147,6 @@ ]; specialArgs = { inherit authorizedKeysRepo; - inherit pkgs-unstable; }; }; From 709afd0a1dfc14bbf213542bb4445d8cdb153892 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 25 Jan 2026 20:44:07 +0100 Subject: [PATCH 11/16] Add cpu.ccc.de to static web host (under cpuccc.hamburg.ccc.de for now) --- .../virtualHosts/cpu.ccc.de.nix | 87 +++++++++++++++++++ .../virtualHosts/default.nix | 1 + 2 files changed, 88 insertions(+) create mode 100644 config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix diff --git a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix new file mode 100644 index 0000000..d0d01f3 --- /dev/null +++ b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix @@ -0,0 +1,87 @@ +{ ... }: + +let + # For now under cpuccc.hamburg.ccc.de. + domain = "cpuccc.hamburg.ccc.de"; + # dataDir = "/var/www/${domain}"; + dataDir = "/var/www/cpu.ccc.de"; + deployUser = "cpuccc-website-deploy"; +in +{ + services.nginx.virtualHosts = { + "acme-${domain}" = { + enableACME = true; + serverName = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + # https://git.hamburg.ccc.de/CCCHH/cpu.ccc.de/src/branch/main/nginx.conf + "${domain}" = { + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + root = "${dataDir}"; + + extraConfig = '' + index index.html; + default_type text/plain; + + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + + port_in_redirect off; + ''; + + locations."/" = { + tryFiles = "$uri $uri/ =404"; + + extraConfig = '' + location /feed/ { + default_type application/rss+xml; + types { + text/xml application/rss+xml; + } + } + + location /rss { + default_type application/rss+xml; + } + ''; + }; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${dataDir} 0755 ${deployUser} ${deployUser}" + ]; + + users.users."${deployUser}" = { + isNormalUser = true; + group = "${deployUser}"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOnO7g/7mVVKnvkszto8m3nPljO/6qQc/34aEbrhKOvn deploy key for cpu.ccc.de" + ]; + }; + users.groups."${deployUser}" = { }; +} diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix index 793829a..3532c25 100644 --- a/config/hosts/public-web-static/virtualHosts/default.nix +++ b/config/hosts/public-web-static/virtualHosts/default.nix @@ -4,6 +4,7 @@ imports = [ ./branding-resources.hamburg.ccc.de.nix ./c3cat.de.nix + ./cpu.ccc.de.nix ./cryptoparty-hamburg.de.nix ./element-admin.hamburg.ccc.de.nix ./element.hamburg.ccc.de.nix From 193ccedbee7ab0bd2d67f120cc6a41407548f9b0 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 27 Jan 2026 15:36:23 +0100 Subject: [PATCH 12/16] public-web-static: setup cpu.ccc.de with redirects from aliases --- .../virtualHosts/cpu.ccc.de.nix | 41 +++++++++++++++++-- 1 file changed, 37 insertions(+), 4 deletions(-) diff --git a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix index d0d01f3..a6c67f8 100644 --- a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix @@ -1,13 +1,17 @@ { ... }: let - # For now under cpuccc.hamburg.ccc.de. - domain = "cpuccc.hamburg.ccc.de"; - # dataDir = "/var/www/${domain}"; - dataDir = "/var/www/cpu.ccc.de"; + domain = "cpu.ccc.de"; + dataDir = "/var/www/${domain}"; deployUser = "cpuccc-website-deploy"; in { + security.acme.certs."cpu.ccc.de".extraDomainNames = [ + "cpuccc.hamburg.ccc.de" + "lokal.ccc.de" + "local.ccc.de" + ]; + services.nginx.virtualHosts = { "acme-${domain}" = { enableACME = true; @@ -70,6 +74,35 @@ in ''; }; }; + + "cpuccc.hamburg.ccc.de" = { + forceSSL = true; + useACMEHost = "cpu.ccc.de"; + serverAliases = [ + "lokal.ccc.de" + "local.ccc.de" + ]; + + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; + + locations."/".return = "302 https://cpu.ccc.de"; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; }; systemd.tmpfiles.rules = [ From 62885a0095e9b2b0c61180c683ca25eaa30985d3 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 27 Jan 2026 15:44:25 +0100 Subject: [PATCH 13/16] public-web-static: to not log ip addresses just disable the access_log --- config/hosts/public-web-static/nginx.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/config/hosts/public-web-static/nginx.nix b/config/hosts/public-web-static/nginx.nix index 9d0e173..b69e60b 100644 --- a/config/hosts/public-web-static/nginx.nix +++ b/config/hosts/public-web-static/nginx.nix @@ -1,7 +1,12 @@ { ... }: { - services.nginx.enable = true; + services.nginx = { + enable = true; + appendHttpConfig = '' + access_log off; + ''; + }; networking.firewall.allowedTCPPorts = [ 8443 31820 ]; networking.firewall.allowedUDPPorts = [ 8443 ]; From 175df869287e0673cac44d98cf8fbf6aa7e3438d Mon Sep 17 00:00:00 2001 From: June Date: Tue, 27 Jan 2026 15:47:14 +0100 Subject: [PATCH 14/16] public-web-static: make hamburg.ccc.de the default server --- config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix index 8277b5f..1c967c9 100644 --- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix @@ -17,6 +17,7 @@ "hamburg.ccc.de" = { forceSSL = true; useACMEHost = "hamburg.ccc.de"; + default = true; listen = [ { From 213707b31080287d0dc5517897b777dcc062a701 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 28 Jan 2026 15:31:31 +0100 Subject: [PATCH 15/16] public-web-static: remove cpuccc.hamburg.ccc.de alias --- config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix index a6c67f8..d2e779a 100644 --- a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix @@ -7,7 +7,6 @@ let in { security.acme.certs."cpu.ccc.de".extraDomainNames = [ - "cpuccc.hamburg.ccc.de" "lokal.ccc.de" "local.ccc.de" ]; @@ -75,11 +74,10 @@ in }; }; - "cpuccc.hamburg.ccc.de" = { + "lokal.ccc.de" = { forceSSL = true; useACMEHost = "cpu.ccc.de"; serverAliases = [ - "lokal.ccc.de" "local.ccc.de" ]; From ebb0cea592d7def9833c9a6c979033ca4132c8cf Mon Sep 17 00:00:00 2001 From: June Date: Sun, 1 Feb 2026 21:06:33 +0100 Subject: [PATCH 16/16] public-web-static: make www.c3cat.de actually work --- config/hosts/public-web-static/virtualHosts/c3cat.de.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix index ff59fab..95f9b59 100644 --- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix +++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix @@ -23,7 +23,7 @@ in { ]; }; - "$www.${domain}" = { + "www.${domain}" = { forceSSL = true; useACMEHost = "${domain}";