CCCHH/nix-infra
CCCHH/nix-infra
2
3
Fork 2
Code Issues Pull requests 2 Wiki Activity

Compare commits

base: CCCHH:main
Branches Tags
CCCHH:main
CCCHH:feat/docs-c3voc-static-web
CCCHH:shairport-sync-cleanup
CCCHH:ci-check
CCCHH:ci-check-lix
CCCHH:nixOptions
CCCHH:spaceapi
CCCHH:ptouch-print-server
CCCHH:Bendodroid-ldflagsSpaceapid
..
compare: CCCHH:feat/docs-c3voc-static-web
Branches Tags
CCCHH:main
CCCHH:feat/docs-c3voc-static-web
CCCHH:shairport-sync-cleanup
CCCHH:ci-check
CCCHH:ci-check-lix
CCCHH:nixOptions
CCCHH:spaceapi
CCCHH:ptouch-print-server
CCCHH:Bendodroid-ldflagsSpaceapid

No commits in common. "main" and "feat/docs-c3voc-static-web" have entirely different histories.
main ... feat/docs-

52 changed files with 535 additions and 763 deletions
Download patch file Download diff file Expand all files Collapse all files

5
config/hosts/forgejo-actions-runner/configuration.nix
View file

@ -1,10 +1,7 @@
{ config, pkgs, ... }:
{
networking = {
hostName = "forgejo-actions-runner";
domain = "hosts.hamburg.ccc.de";
};
networking.hostName = "forgejo-actions-runner";
system.stateVersion = "23.11";
}

3
config/hosts/forgejo-actions-runner/docker.nix
View file

@ -9,8 +9,5 @@
enable = true;
dates = "weekly";
};
daemon.settings = {
ipv6 = true;
};
};
}

6
config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix
View file

@ -15,9 +15,6 @@
tokenFile = "/run/secrets/forgejo_actions_runner_registration_token";
labels = [ "docker:docker://node:current-bookworm" ];
settings = {
container = {
enable_ipv6 = true;
};
cache = {
proxy_port = 45540;
};
@ -38,9 +35,6 @@
"alpine-latest:docker://node:current-alpine"
];
settings = {
container = {
enable_ipv6 = true;
};
cache = {
proxy_port = 45541;
};

8
config/hosts/forgejo-actions-runner/networking.nix
View file

@ -5,14 +5,14 @@ let
in {
networking = {
interfaces.net0 = {
ipv6.addresses = [
ipv4.addresses = [
{
address = "2a00:14b0:42:102::18";
prefixLength = 64;
address = "172.31.17.155";
prefixLength = 25;
}
];
};
defaultGateway6 = "2a00:14b0:42:102::1";
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
};

5
config/hosts/public-web-static/configuration.nix
View file

@ -1,10 +1,7 @@
{ ... }:
{
networking = {
hostName = "public-web-static";
domain = "hosts.hamburg.ccc.de";
};
networking.hostName = "public-web-static";
system.stateVersion = "23.05";
}

8
config/hosts/public-web-static/networking.nix
View file

@ -3,14 +3,14 @@
{
networking = {
interfaces.net0 = {
ipv6.addresses = [
ipv4.addresses = [
{
address = "2a00:14b0:42:102::17";
prefixLength = 64;
address = "172.31.17.151";
prefixLength = 25;
}
];
};
defaultGateway6 = "2a00:14b0:42:102::1";
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
};

10
config/hosts/public-web-static/virtualHosts/branding-resources.hamburg.ccc.de.nix
View file

@ -14,10 +14,6 @@ in
serverName = "branding-resources.hamburg.ccc.de";
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
@ -30,12 +26,6 @@ in
useACMEHost = "branding-resources.hamburg.ccc.de";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;

16
config/hosts/public-web-static/virtualHosts/c3cat.de.nix
View file

@ -16,10 +16,6 @@ in {
];
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
@ -32,12 +28,6 @@ in {
useACMEHost = "${domain}";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
@ -71,12 +61,6 @@ in {
useACMEHost = "${domain}";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;

27
config/hosts/public-web-static/virtualHosts/c3dog.de.nix
View file

@ -3,7 +3,7 @@
let
domain = "c3dog.de";
dataDir = "/var/www/${domain}";
deployUser = "c3dog-website-deploy";
deployUser = "c3cat-website-deploy";
in {
security.acme.certs."${domain}".extraDomainNames = [ "www.${domain}" ];
@ -16,10 +16,6 @@ in {
];
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
@ -32,12 +28,6 @@ in {
useACMEHost = "${domain}";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
@ -67,12 +57,6 @@ in {
useACMEHost = "${domain}";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
@ -99,13 +83,4 @@ in {
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIB7iXsVArl4SbDczb4U3zGkZCiVO/lfn12gkOEOnKmEX deploy key for c3dog.de"
];
};
users.groups."${deployUser}" = { };
}

30
config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix
View file

@ -17,10 +17,6 @@ in
serverName = "${domain}";
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
@ -34,12 +30,6 @@ in
useACMEHost = "${domain}";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
@ -91,20 +81,12 @@ in
"local.ccc.de"
];
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://cpu.ccc.de";

16
config/hosts/public-web-static/virtualHosts/cryptoparty-hamburg.de.nix
View file

@ -16,10 +16,6 @@ in
serverName = "${domain}";
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
@ -32,12 +28,6 @@ in
useACMEHost = "${domain}";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
@ -65,12 +55,6 @@ in
useACMEHost = "${domain}";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;

3
config/hosts/public-web-static/virtualHosts/default.nix
View file

@ -13,16 +13,13 @@
./hacker.tours.nix
./hackertours.hamburg.ccc.de.nix
./hamburg.ccc.de.nix
./infra-docs.hamburg.ccc.de.nix
./spaceapi.hamburg.ccc.de.nix
./staging.c3cat.de.nix
./staging.c3dog.de.nix
./staging.cryptoparty-hamburg.de.nix
./staging.docs.c3voc.de.nix
./staging.hacker.tours.nix
./staging.hackertours.hamburg.ccc.de.nix
./staging.hamburg.ccc.de.nix
./staging.infra-docs.hamburg.ccc.de.nix
./www.hamburg.ccc.de.nix
./diday.org.nix
./staging.diday.org.nix

24
config/hosts/public-web-static/virtualHosts/diday.org.nix
View file

@ -16,10 +16,6 @@ in
serverName = "${domain}";
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
@ -32,12 +28,6 @@ in
useACMEHost = "${domain}";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
@ -46,6 +36,10 @@ in
}
];
basicAuth = {
"preview" = "liebe";
};
extraConfig = ''
return 301 https://diday.org;
'';
@ -56,12 +50,6 @@ in
useACMEHost = "${domain}";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
@ -70,6 +58,10 @@ in
}
];
basicAuth = {
"preview" = "liebe";
};
root = "${dataDir}";
extraConfig = ''

12
config/hosts/public-web-static/virtualHosts/docs.c3voc.de.nix
View file

@ -11,10 +11,6 @@ in {
serverName = "${domain}";
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
@ -27,12 +23,6 @@ in {
useACMEHost = "${domain}";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
@ -52,8 +42,6 @@ in {
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
port_in_redirect off;
'';
};
};

16
config/hosts/public-web-static/virtualHosts/element-admin.hamburg.ccc.de.nix
View file

@ -1,14 +1,14 @@
{ config, pkgs, ... }:
let
elementAdminVersion = "0.1.11";
elementAdminVersion = "0.1.10";
elementAdmin = pkgs.stdenv.mkDerivation (finalAttrs: {
pname = "element-admin";
version = elementAdminVersion;
src = pkgs.fetchzip {
url = "https://github.com/element-hq/element-admin/archive/refs/tags/v${elementAdminVersion}.zip";
sha256 = "sha256-tSUTDPspQJjvP1KN4nUr4LYyjNQFj4pKMMA8JmavIxo=";
sha256 = "sha256-dh7tmzAaTfKB9FuOVhLHpOIsTZK1qMvNq16HeObHOqI=";
};
nativeBuildInputs = [
@ -19,7 +19,7 @@ let
pnpmDeps = pkgs.pnpm.fetchDeps {
inherit (finalAttrs) pname version src;
fetcherVersion = 2;
hash = "sha256-Hf4PWey5bczSNbc3QQ9z9X3OVUZ7VHXw7BHGQqJWPac=";
hash = "sha256-S/MdfUv6q+PaAKWYHxVY80BcpL81dOfpPVhNxEPQVE4=";
};
buildPhase = ''
@ -40,10 +40,6 @@ in
serverName = "element-admin.hamburg.ccc.de";
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
@ -56,12 +52,6 @@ in
useACMEHost = "element-admin.hamburg.ccc.de";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;

14
config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix
View file

@ -1,10 +1,10 @@
{ pkgs, ... }:
let
elementWebVersion = "1.12.18";
elementWebVersion = "1.12.0";
element-web = pkgs.fetchzip {
url = "https://github.com/element-hq/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
sha256 = "sha256-RvPJg28hgOgFs0GFZ9EPypQkUPkAns0alXYJeNst4Bk=";
sha256 = "sha256-2kXQFUhLYyEKuXYw+n94JGlTN2VJHRpjmu78u8gdaro=";
};
elementSecurityHeaders = ''
# Configuration best practices
@ -24,10 +24,6 @@ in
serverName = "element.hamburg.ccc.de";
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
@ -40,12 +36,6 @@ in
useACMEHost = "element.hamburg.ccc.de";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;

12
config/hosts/public-web-static/virtualHosts/hacker.tours.nix
View file

@ -12,10 +12,6 @@ in
serverName = "${domain}";
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
@ -26,18 +22,12 @@ in
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
locations."/shop" = {
return = "302 https://tickets.hamburg.ccc.de";
};
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;

10
config/hosts/public-web-static/virtualHosts/hackertours.hamburg.ccc.de.nix
View file

@ -12,10 +12,6 @@ in
serverName = "${domain}";
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
@ -28,12 +24,6 @@ in
useACMEHost = "${domain}";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;

18
config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
View file

@ -7,10 +7,6 @@
serverName = "hamburg.ccc.de";
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
@ -24,12 +20,6 @@
default = true;
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
@ -99,14 +89,6 @@
return = "302 https://cloud.hamburg.ccc.de/apps/calendar/embed/QJAdExziSnNJEz5g";
};
# Redirects for blog post edits.
locations."/blog/2026/05/23/der-ccchh-sagt-nein-zu-olympia-in-hamburg" = {
return = "302 https://hamburg.ccc.de/blog/2026/05/31/der-ccchh-sagt-nein-zu-olympia-in-hamburg/";
};
locations."/blog/2026/05/23/der-ccchh-sagt-nein-zu-olympia-in-hamburg/" = {
return = "302 https://hamburg.ccc.de/blog/2026/05/31/der-ccchh-sagt-nein-zu-olympia-in-hamburg/";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy

56
config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh03.nix
View file

@ -25,16 +25,10 @@ in
"easterhegg2003.hamburg.ccc.de"
"www.easterhegg2003.hamburg.ccc.de"
];
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
}
];
listen = [{
addr = "0.0.0.0";
port = 31820;
}];
};
"easterhegg2003.hamburg.ccc.de" = {
@ -46,20 +40,12 @@ in
"www.easterhegg2003.hamburg.ccc.de"
];
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://eh03.easterhegg.eu";
@ -79,26 +65,18 @@ in
forceSSL = true;
useACMEHost = "eh03.easterhegg.eu";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
index = "index.html";
root = eh03;
extraConfig = ''
# Set default_type to html
# Set default_type to html
default_type text/html;
# Enable SSI
ssi on;

56
config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh05.nix
View file

@ -25,16 +25,10 @@ in
"easterhegg2005.hamburg.ccc.de"
"www.easterhegg2005.hamburg.ccc.de"
];
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
}
];
listen = [{
addr = "0.0.0.0";
port = 31820;
}];
};
"easterhegg2005.hamburg.ccc.de" = {
@ -46,20 +40,12 @@ in
"www.easterhegg2005.hamburg.ccc.de"
];
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://eh05.easterhegg.eu";
@ -79,26 +65,18 @@ in
forceSSL = true;
useACMEHost = "eh05.easterhegg.eu";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
index = "index.shtml";
root = eh05;
extraConfig = ''
# Set default_type to html
# Set default_type to html
default_type text/html;
# Enable SSI
ssi on;

56
config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh07.nix
View file

@ -29,16 +29,10 @@ in
"easterhegg2007.hamburg.ccc.de"
"www.easterhegg2007.hamburg.ccc.de"
];
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
}
];
listen = [{
addr = "0.0.0.0";
port = 31820;
}];
};
"easterhegg2007.hamburg.ccc.de" = {
@ -52,20 +46,12 @@ in
"www.easterhegg2007.hamburg.ccc.de"
];
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://eh07.easterhegg.eu";
@ -85,26 +71,18 @@ in
forceSSL = true;
useACMEHost = "eh07.easterhegg.eu";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
index = "index.shtml";
root = eh07;
extraConfig = ''
# Set default_type to html
# Set default_type to html
default_type text/html;
# Enable SSI
ssi on;

56
config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh09.nix
View file

@ -29,16 +29,10 @@ in
"easterhegg2009.hamburg.ccc.de"
"www.easterhegg2009.hamburg.ccc.de"
];
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
}
];
listen = [{
addr = "0.0.0.0";
port = 31820;
}];
};
"easterhegg2009.hamburg.ccc.de" = {
@ -52,20 +46,12 @@ in
"www.easterhegg2009.hamburg.ccc.de"
];
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://eh09.easterhegg.eu";
@ -85,26 +71,18 @@ in
forceSSL = true;
useACMEHost = "eh09.easterhegg.eu";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
index = "index.shtml";
root = eh09;
extraConfig = ''
# Set default_type to html
# Set default_type to html
default_type text/html;
# Enable SSI
ssi on;

56
config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh11.nix
View file

@ -29,16 +29,10 @@ in
"easterhegg2011.hamburg.ccc.de"
"www.easterhegg2011.hamburg.ccc.de"
];
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
}
];
listen = [{
addr = "0.0.0.0";
port = 31820;
}];
};
"easterhegg2011.hamburg.ccc.de" = {
@ -52,20 +46,12 @@ in
"www.easterhegg2011.hamburg.ccc.de"
];
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://eh11.easterhegg.eu";
@ -85,26 +71,18 @@ in
forceSSL = true;
useACMEHost = "eh11.easterhegg.eu";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
index = "index.shtml";
root = eh11;
extraConfig = ''
# Set default_type to html
# Set default_type to html
default_type text/html;
# Enable SSI
ssi on;

54
config/hosts/public-web-static/virtualHosts/historic-easterhegg/eh20.nix
View file

@ -21,16 +21,10 @@ in
"www.eh20.easterhegg.eu"
"eh20.hamburg.ccc.de"
];
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
}
];
listen = [{
addr = "0.0.0.0";
port = 31820;
}];
};
"www.eh20.easterhegg.eu" = {
@ -40,20 +34,12 @@ in
"eh20.hamburg.ccc.de"
];
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/".return = "302 https://eh20.easterhegg.eu";
@ -73,20 +59,12 @@ in
forceSSL = true;
useACMEHost = "eh20.easterhegg.eu";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
listen = [{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}];
locations."/" = {
index = "start.html";

73
config/hosts/public-web-static/virtualHosts/infra-docs.hamburg.ccc.de.nix
View file

@ -1,73 +0,0 @@
{ pkgs, ... }:
let
domain = "infra-docs.hamburg.ccc.de";
dataDir = "/var/www/${domain}";
deployUser = "infra-docs-deploy";
in {
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
port_in_redirect off;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
users.users."${deployUser}" = {
isNormalUser = true;
group = "${deployUser}";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINfwfy9f3R/tDOiUeG5DA9oIGDDEAP270MqFG3V1P11L deploy key for infra-docs"
];
};
users.groups."${deployUser}" = { };
}

10
config/hosts/public-web-static/virtualHosts/spaceapi.hamburg.ccc.de.nix
View file

@ -7,10 +7,6 @@
serverName = "spaceapi.hamburg.ccc.de";
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
@ -23,12 +19,6 @@
useACMEHost = "spaceapi.hamburg.ccc.de";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;

10
config/hosts/public-web-static/virtualHosts/staging.c3cat.de.nix
View file

@ -11,10 +11,6 @@ in {
serverName = "${domain}";
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
@ -27,12 +23,6 @@ in {
useACMEHost = "${domain}";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;

70
config/hosts/public-web-static/virtualHosts/staging.c3dog.de.nix
View file

@ -1,70 +0,0 @@
{ pkgs, ... }:
let
domain = "staging.c3dog.de";
dataDir = "/var/www/${domain}";
deployUser = "c3dog-website-deploy";
in {
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
# Disallow *, since this is staging and doesn't need to be in any search
# results.
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: *\\n\"";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
# c3dog deploy user already defined in c3dog.de.nix.
}

16
config/hosts/public-web-static/virtualHosts/staging.cryptoparty-hamburg.de.nix
View file

@ -16,10 +16,6 @@ in
serverName = "${domain}";
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
@ -32,12 +28,6 @@ in
useACMEHost = "${domain}";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
@ -65,12 +55,6 @@ in
useACMEHost = "${domain}";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;

10
config/hosts/public-web-static/virtualHosts/staging.diday.org.nix
View file

@ -21,12 +21,6 @@ in
forceSSL = true;
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
@ -35,6 +29,10 @@ in
}
];
basicAuth = {
"preview" = "liebe";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy

12
config/hosts/public-web-static/virtualHosts/staging.docs.c3voc.de.nix
View file

@ -11,10 +11,6 @@ in {
serverName = "${domain}";
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
@ -27,12 +23,6 @@ in {
useACMEHost = "${domain}";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
@ -58,8 +48,6 @@ in {
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
port_in_redirect off;
'';
};
};

10
config/hosts/public-web-static/virtualHosts/staging.hacker.tours.nix
View file

@ -12,10 +12,6 @@ in
serverName = "${domain}";
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
@ -28,12 +24,6 @@ in
useACMEHost = "${domain}";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;

10
config/hosts/public-web-static/virtualHosts/staging.hackertours.hamburg.ccc.de.nix
View file

@ -12,10 +12,6 @@ in
serverName = "${domain}";
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
@ -28,12 +24,6 @@ in
useACMEHost = "${domain}";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;

10
config/hosts/public-web-static/virtualHosts/staging.hamburg.ccc.de.nix
View file

@ -7,10 +7,6 @@
serverName = "staging.hamburg.ccc.de";
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
@ -23,12 +19,6 @@
useACMEHost = "staging.hamburg.ccc.de";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;

72
config/hosts/public-web-static/virtualHosts/staging.infra-docs.hamburg.ccc.de.nix
View file

@ -1,72 +0,0 @@
{ pkgs, ... }:
let
domain = "staging.infra-docs.hamburg.ccc.de";
dataDir = "/var/www/${domain}";
deployUser = "infra-docs-deploy";
in {
services.nginx.virtualHosts = {
"acme-${domain}" = {
enableACME = true;
serverName = "${domain}";
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"${domain}" = {
forceSSL = true;
useACMEHost = "${domain}";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
root = "${dataDir}";
# Disallow *, since this is staging and doesn't need to be in any search
# results.
locations."/robots.txt" = {
return = "200 \"User-agent: *\\nDisallow: *\\n\"";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
port_in_redirect off;
'';
};
};
systemd.tmpfiles.rules = [
"d ${dataDir} 0755 ${deployUser} ${deployUser}"
];
# infra-docs deploy user already defined in infra-docs.hamburg.ccc.de.nix.
}

10
config/hosts/public-web-static/virtualHosts/www.hamburg.ccc.de.nix
View file

@ -7,10 +7,6 @@
serverName = "www.hamburg.ccc.de";
listen = [
{
addr = "[::]";
port = 31820;
}
{
addr = "0.0.0.0";
port = 31820;
@ -23,12 +19,6 @@
useACMEHost = "www.hamburg.ccc.de";
listen = [
{
addr = "[::]";
port = 8443;
ssl = true;
proxyProtocol = true;
}
{
addr = "0.0.0.0";
port = 8443;

7
config/hosts/woodpecker/configuration.nix Normal file
View file

@ -0,0 +1,7 @@
{ config, pkgs, ... }:
{
networking.hostName = "woodpecker";
system.stateVersion = "24.05";
}

11
config/hosts/woodpecker/default.nix Normal file
View file

@ -0,0 +1,11 @@
{ config, pkgs, ... }:
{
imports = [
./woodpecker-agent
./woodpecker-server
./configuration.nix
./networking.nix
./sops.nix
];
}

22
config/hosts/woodpecker/networking.nix Normal file
View file

@ -0,0 +1,22 @@
{ ... }:
{
networking = {
interfaces.net0 = {
ipv4.addresses = [
{
address = "172.31.17.160";
prefixLength = 25;
}
];
};
defaultGateway = "172.31.17.129";
nameservers = [ "212.12.50.158" "192.76.134.90" ];
search = [ "hamburg.ccc.de" ];
};
systemd.network.links."10-net0" = {
matchConfig.MACAddress = "BC:24:11:5F:A9:B7";
linkConfig.Name = "net0";
};
}

149
config/hosts/woodpecker/secrets.yaml Normal file
View file

@ -0,0 +1,149 @@
woodpecker_server_environment_file: ENC[AES256_GCM,data:68Wu0UOHBAGZHSJ0x4wbeDLm626jpumv9w6A65FNKsmzYp6P4/c4g1MF1agQd7l9nKMTRrgyJyfoEZYFQRX6lYSmcsQLfn++uh1JpFoClT5p/5hBkiDq4owUFU+NGUiyl6yjYlEiaxLwC4ZdyISHeEYpbrvGyIXLsFgdrQ0rVX3cCRwIMxFcyCG6d3MZVoqAw1A=,iv:y/+X02aRPBOoR57P9s7y/SijvXVLuiBBfFYqeJLvQEU=,tag:DNwK+M6s3moglkMkrWccyA==,type:str]
woodpecker_agent_environment_file: ENC[AES256_GCM,data:rwp6TYYFJ/IZH+3pGhPxjdZMLoyPMr/W1RXm4IkUGn+SmIjHZcdFZ8nEhvOfnkfrXNPc2MR+X6NXUmVOcBjSCbcBjh9sC653UpKimt9I3/Ec,iv:X9JH7dmTayw8BaEsXYil3PrykCdd+/ANGHVfEyRvc7A=,tag:/ErkX1WnruanNgTTBUT6LA==,type:str]
sops:
age:
- recipient: age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWdUhjQUJIS2QvWk1Yc3pR
M1daYlRubnlsQk9tcytBNWdYMUU4bG1DVHhZCnVKK00ySDdBZFhzRXlaQ2xVaTBh
bVVVNzRraUpHSFFuRStzWFprUGRoMGcKLS0tIEVBUWh4STBIaGdTelFKcnB0TkNR
SEd1VTZQZWlkYXVKcVRPbVA1U3VWbFUKnuaPGc29kKE86nh+xEto0Jb6BQ0uH3pr
Q1QPgfiOCYGkuUewy3LlGnLTuMxHBBWAjg4zgaYPHU2F/HCS5DB5nw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1klxtcr23hers0lh4f5zdd53tyrtg0jud35rhydstyjq9fjymf9hsn2a8ch
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArdVJNK1ljNWwrTy9qc1p1
N1MweERxdkNXZVZITWRRdGFQRHRQeTNFTTI4CjFkSVJQMFBKY2tRWE1DeXdMOUZY
Qm5oYTU1azFzVEpYZUptcTVhRCsxL28KLS0tIEI0czljekgvQlc1SlVGSUpGb1N3
NytOaE5nQ3E4bFhCQ1ZDU3MyM3p5cmcK3LGva0vDjitqOBqBo6jHqRBaH8T8cOim
IF8ygc0i/dbaec59ZcCMhS0n8yv0lVHO2WiUwPaKTh5hkti9LhKlaA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-06-22T15:55:25Z"
mac: ENC[AES256_GCM,data:UmDbmxSRj8YfCkKEelQNMJ8mzbu5aQdB9yOr9JfUh5TB9r5Z5ttZ1wgJDJqHNtsII3JGXUvbgHbsmbPikkrj4Ege1rrgr4UttN1rtgeaAKlZIlqb9pOnV4//GJL8jbxCgFp2h2O80G05nAXG54DaY//4Y5hfTyPzgyDlGQ6jlhg=,iv:5e8lpFfGAJh8lTFcY4MlZG7PgnzM0UycsU0tB2KN+zQ=,tag:4xUEHg04wjDbhc9MOItzuQ==,type:str]
pgp:
- created_at: "2026-02-17T22:22:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAz5uSgHG2iMJAQ/+NzRul1VZa2BLnjCsdUP7YErHvLsJqc/KwEFgGX8yN1Bg
VOHgm0MBYC14KtMu0Zb+Cm6ypqyaa4j+MXNVWLDTOLt1aLibashBmyPbwHNr0XwO
6tr9qYAPixaoWFeiCtATKLUzWzQ68eDv9JHNNQvKGNjet9E1yOIxWHj6RxyV/EeZ
50nf+7AO7cFkqRGFxrGKAYchzetajNPLtbS2htFCc3Vt9m38jusafvYdjeG+HQHe
6INzdNqvM7vhfWJlIiTPCXGKvx0NhLg6sVvcXpq5mKbMAhja80KyUdl772L8Kr6P
ZYvmj+Ey8+GM+opGGxcaSBmgw3ZLRIZ1tks3LlRf/UiAZD5MqJoRL1DEJMtHzYnp
IqxOEiuMLAL1/TxG4KhJfT5Gs9Kf3Cnr6djhhsYg3GYXSQdhiyaBDaLpu68nEIRN
JSdA/7pCjxhvlgFl9XvPaMzQD5GZNlVapJPn1c9Ambi9cs4kB8nds+Xx4KgIN3li
85flJnEtQWRI2DL8qJgoYJ1cXevkPVzKLFnQEHfLuozIzfPl1Wq1Sb3EQk9YZer9
yfVHRngBBhmfNMtFy9gq8FLod0Odas3KQDAa7ndPMMx6oL5DoNeI3DpuYW4eQIZK
EbT5iHLMrTXHb2XKTHfXdjl6ttED+12GAby69jdGXjt6UVAM6b0UorWfSLLoqabS
XgG1w128eegSl4tqdYO/KDL30c9J1K8LqaJmg+9eFAi9Da/zmPAck+DlS7XUkeiX
OqZiOXLul0N2Qe/tWkpJD8F3HV+K6Xt0MSx8VsmeliicG4Rpme1Xysau+7kht3U=
=KUjN
-----END PGP MESSAGE-----
fp: 18DFCE01456DAB52EA38A6584EDC64F35FA1D6A5
- created_at: "2026-02-17T22:22:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAw5vwmoEJHQ1ARAAxH+TtzvFlUZfD3U7BNRr9SyWVxnkR3U2zvvDG5A3I28K
fI1U1am6Z+gSvYdId38hiMPxDmDIMl2wCYCXd17q+PSycsJ1Bbzy1zaht6KcpSJb
s9jmNmf+5mazSRZ/COBy4mMq+2mam4/vu+xS85IsgxyxK9ygnCurmzMqn3lxatm0
ICxvoLMAamA+tAfxtw+a5lEMok7pHdKndZmrKvxO7nLXM0292sJ3VHp5Uy9k487W
PznpjM1st/f/0gTu1mgb8rnUkSszw1odBeQ+xw2JvcDHE6Ow7PpCk83oTWXil6c4
bEsrtvaFLWXN9/gssnayoMWHb/TCHKVe4AGrMevFkRdEFDRV5FRZGqzuGDP++X10
KYyMN0/Wo/XU7Rn3+7HmKvz0qeaAI/IRTrhdXUDtQQ13/waxGrJEquwS5Xuwea6l
LlA6hwnAERSVrVkMQ60ITOD6n7lvAPA7jD/HhI3P2Xy4mDFW9ZnfnWi0xI9pRCsk
w+ZnQ1Ckacv0gJUirvsVSdUYHwvEvpFEVSsZsv5QbNsaWi5jn5XDH0eqlXQE80aO
o3vPFTNCHNixspiaIO4V8etyv6nSh7BxwDvIH4nZVxr8HmxILs0Occw9anvA81md
roF3pyb+ZFRIwcBh72VSdAm1D/n4h14lnmMj+19HEA3zvbPnZQejtGFMY1Oe2VTS
XgHMI0aRJANXczMA7LSg9vxDYvWXE2KR526oBsC1E7otCNGkxj3hhmng25K3tmIU
E2AAaAIk/RukMnydb93XGciPquCZsWlmpwlTGXCqoqiNBilvIE1lXH6rhym78ko=
=nRW4
-----END PGP MESSAGE-----
fp: 87AB00D45D37C9E9167B5A5A333448678B60E505
- created_at: "2026-02-17T22:22:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DerEtaFuTeewSAQdAPWizx2khKtlshnLwE5PRszAdTvTlsEEiWVV5xJx3PnAw
9Gj2lZZX4F0AXoKInElg2N02FXpIo24ZZUPXGqpswfSv93NFNNK+FWwqUCRZhuCM
0l4Blkyy4PthGwIAtXqZ8GGxjoDGBLIAE/zrY9tdNB5XAnkiy7J82kora0dphpkq
Llb1Jgh0+ZK8RQzaf5wcgWf867MhJLhv0N+qLsFVutGpqFy1W/1vaLQ5au5Ty2Tw
=460I
-----END PGP MESSAGE-----
fp: 057870A2C72CD82566A3EC983695F4FCBCAE4912
- created_at: "2026-02-17T22:22:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAxjNhCKPP69fAQ//Rzcsq0Yay/3g/MzqHI1izkSWsdycz3LE6qM4qhX4f7wZ
4Ymzu2jbSq43IavCjGPOLIKVJ4nlnPd7rcprYNV5DOcGAkXG5x7PbnVta3SPI300
CXnSGQB1KHUCCYZN1BkL9ZSQyTx0ex19mnsSEtZh8NB97cCZx9zMowdHKd5ySu/O
+CMFkQ6Uoh2FxBtqM1y1YbDiuDJnAlAQSKlDIVdCdMssutWRs9Nf6eiLtcmb4U5l
sNyKQnPrr3vjkaTbVdBKQjjMSa8Z/1Tf95GxNhzrUGm2APLKVYdHkMVlQwcr/ZfH
jGiZqxgBmrtNe3EypdKCDnlPvlxs8mnO5whxzDZW2NFV3piMmOmvLI/Po1ASi/t1
PW9h05Foh2764Jfp74BkRTvhBfi465wKkON0VOckwWBkl/n7w7POfHCXdK1/AnGj
9ywj6P4zg50vKiTMkZStq6YKXAEkVcN6YzhVVDFwDwAE1VKFCMKlmwuYT1FuKXBp
7maF578qVyb0lXP9jaX10Y9dhC4vU2rJB3vtRhxjqeMEe/WOyhEyalrC9phPfBKS
wVKzdd3vvaNGfQSAwseFAn1upvELFwccPw1aRIqqLhzWTY2m48yyW2aEN6+7SqkR
dOBJpZDE4NxOhbQl0rllZdeLUznIgeOKM2iNg/3kM7cWcsLZRm3+l1ZuiCEy5XPS
XgHbwfJlyZYoQyKCntbdA/5VRS/5s0oPJIjuofoBZb35fIqtYPIpUeNccpklXYsO
atiSRwJeiluCFUag0uV3nq0zltOlqdS6piEVqU6xiGLAZe04jkaMBxL6VQQHYU0=
=811X
-----END PGP MESSAGE-----
fp: F38C9D4228FC6F674E322D9C3326D914EB9B8F55
- created_at: "2026-02-17T22:22:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA1Hthzn+T1OoAQ/9EvULxQSjfO/V600iqRhsQsuuHWY5IfVN+XBCmzmeUX2a
8qFN8L5gk3pYEoIu4khSCSeIpVyOdX1XeWMMNB15C/pAvgi7emH0y8UxAvCLfW5L
CzP3qLQsbpKUGntPlHaye/G16M/+m4QPc6Y7qwEtUThOei9haPhIU06Tb61IpfLk
AKticUro4ap3Xt/fjDH0NHZsGG33V6LprTt+8LaEcpcwZK/yOWdG4wTV4j6X8LbA
ueCmKunAr1skJrd+hVuwP2e8UkasYgo33pcupsS5jcyXJT9Kf3p/nqOJ3QGlwOtP
lf0DUifdd/QrEXWcMBu+zc9HgtUzpyU3KAoVrxo4JQLaoRlq3kwk3mOOFA0Fzd16
neuJL2wp/RPuL47StHwA9HxQP+3znXkNxmt9yXGzeyeOBpK4O9qoQ9y7Rbd/FR2u
wEl5uAjhhH2xmAUnIKp5Y1UAFSLqZEaiJjjCHMHycaTpCucjEcChpaBGDAXYS1h+
x/r6R46UgIzMvjpd2vy+C1aQg0p1Z6P65ifOkdAYIghpSkp+F6SUHHkL3w/kRRjE
dBF8YWFm/yl9P9qenakC5NsAA+bR4ZpNWpv32sYuVjIuoV20GdS7UIVQnvos8bBK
NfqoFmz4n8Eo1jLRcCJ376ow7bSEhRIJlJxdq7bFjZ/3Wtk9vt9dG6XV7wLdJwXS
XgGRxjv94TYLFowYA8/uu9fWxvf2i2lLqctjrvbZkW0Rdn2Ym5GXjg6St3Diug6r
y87PJPSN7CYE4jzCDPaSnGcBvwDHrQsLHLAmenfrAi2Jnweg/THpm9UAftoC7AY=
=Fxot
-----END PGP MESSAGE-----
fp: 5DA93D5C9D7320E1BD3522C79C78172B3551C9FD
- created_at: "2026-02-17T22:22:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA46L6MuPqfJqARAAnZq75P7GPcuBCBLUOVPK8w1IBxd4XzoEWW3+T80bFTZE
ZjPAvfiGcOqIfc8CPzpS1drviWiRkuEV4EKCuDmX9GReI0SUlvaoiddUA9V62f4b
akBrzqR0nNnWWvjph4/5PRAQO+xO4wQy2r9thCw4oej3QgvKtLRRRY35TkGqlS0t
ej4d80KaqGGsfIPQ5L9f+lqarrKvYx3DMK6CujN13Kot44Uom4L5TeIdPSAW14jS
13fa/I1Irq56ME9kNctsuAkRkhrW+KchFJqkYXSS82SbXUDDNcVA7knXSzxVR+iU
NJXb8bQO4Ymi8sWPWKHW/GXUkReiTLl8MkLi+mCwL7qo5fMQcBg/KWo0hReQYCj3
G9DZPs3xWYFcwcmrSV86LSqjMt5g8ZKjPm6ODQcZVA/ZsGlmdTkjsWNn6WRZI55m
8kkg7BoRMq7p6b15tW4e/w2rr/bTmGQ9dV03KIpmBG6+OUzwgfB2/w2dGmB7Vor6
JMzvt+1I/PSHsCC/7GurTurAP63x8NO/9HYX2Qg0qzsOusnTKrCoo4lX/tA5YfIt
OKr6zqy8s5Dv/lGUhofkJrhHr/QTRHFVrFtPNn4yfSzo+8uhomHGsmxBGOOiY83L
3zwYm+9BlzO/ve7PIvs54hIHQaKsP9Ktsgq/+dM7PVlIb5qfwGNvgoS2QXFqCF/S
XgHWy41J0zTGoyEpooGkheVKvgEPvv6YIlm9oTucYP03AkKWxBr9MTNq/+JcLRvw
Zey10uVJnYPUuH2b9f8N8lNBZlkQCBq/AEu0MsygsK8bcVfQL1Qs58xh1uA7gL8=
=wduB
-----END PGP MESSAGE-----
fp: 8996B62CBD159DCADD3B6DC08BB33A8ABCF7BC4A
- created_at: "2026-02-17T22:22:03Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hF4DQrf1tCqiJxoSAQdA4Y8j9A4ECAds0oJlP50Td1HpYIhywjXKi+pT7CTPXQ8w
95+hUucTE8WQO/9u4HV2Y2nuyQPwmaYK0iGbNV3YxgI3Zdtf1T680hQxT4y55E1/
0l4B+70h9ojiHZkpVKVmFFZdY+tS/jQIFIRxqTW1AAfDf+chO3sUxbRe2qZhOXoY
b/QKU11wFpmOZmzznurOoxkqdNgGNcFm9+Ntb4ZSLSYzx7wrjzmWsaTdFd+coO1j
=V+rP
-----END PGP MESSAGE-----
fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
unencrypted_suffix: _unencrypted
version: 3.8.1

7
config/hosts/woodpecker/sops.nix Normal file
View file

@ -0,0 +1,7 @@
{ ... }:
{
sops = {
defaultSopsFile = ./secrets.yaml;
};
}

8
config/hosts/woodpecker/woodpecker-agent/default.nix Normal file
View file

@ -0,0 +1,8 @@
{ config, pkgs, ... }:
{
imports = [
./docker.nix
./woodpecker-agent.nix
];
}

12
config/hosts/woodpecker/woodpecker-agent/docker.nix Normal file
View file

@ -0,0 +1,12 @@
# Sources for this configuration:
# - https://woodpecker-ci.org/docs/administration/deployment/nixos
# - https://woodpecker-ci.org/docs/administration/backends/docker
# - https://nixos.wiki/wiki/Docker
{ config, pkgs, ... }:
{
virtualisation.docker = {
enable = true;
};
}

29
config/hosts/woodpecker/woodpecker-agent/woodpecker-agent.nix Normal file
View file

@ -0,0 +1,29 @@
# Sources for this configuration:
# - https://woodpecker-ci.org/docs/administration/deployment/nixos
# - https://woodpecker-ci.org/docs/administration/agent-config
# - https://woodpecker-ci.org/docs/administration/backends/docker
{ config, pkgs, ... }:
{
services.woodpecker-agents.agents."docker" = {
enable = true;
package = pkgs.woodpecker-agent;
extraGroups = [ "docker" ];
environment = {
WOODPECKER_SERVER = "localhost${config.services.woodpecker-server.environment.WOODPECKER_GRPC_ADDR}";
WOODPECKER_MAX_WORKFLOWS = "4";
WOODPECKER_BACKEND = "docker";
# Set via enviornmentFile:
# WOODPECKER_AGENT_SECRET
};
environmentFile = [ "/run/secrets/woodpecker_agent_environment_file" ];
};
sops.secrets."woodpecker_agent_environment_file" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "woodpecker-agent-docker.service" ];
};
}

9
config/hosts/woodpecker/woodpecker-server/default.nix Normal file
View file

@ -0,0 +1,9 @@
{ config, pkgs, ... }:
{
imports = [
./nginx.nix
./postgresql.nix
./woodpecker-server.nix
];
}

57
config/hosts/woodpecker/woodpecker-server/nginx.nix Normal file
View file

@ -0,0 +1,57 @@
# Sources for this configuration:
# - https://woodpecker-ci.org/docs/administration/deployment/nixos
# - https://woodpecker-ci.org/docs/administration/proxy
{ config, pkgs, ... }:
{
services.nginx = {
enable = true;
virtualHosts."acme-woodpecker.hamburg.ccc.de" = {
default = true;
enableACME = true;
serverName = "woodpecker.hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
virtualHosts."woodpecker.hamburg.ccc.de" = {
default = true;
forceSSL = true;
useACMEHost = "woodpecker.hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
proxyProtocol = true;
}
];
locations."/" = {
proxyPass = "http://localhost${config.services.woodpecker-server.environment.WOODPECKER_SERVER_ADDR}";
};
extraConfig = ''
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
networking.firewall.allowedTCPPorts = [ 8443 31820 ];
networking.firewall.allowedUDPPorts = [ 8443 ];
}

18
config/hosts/woodpecker/woodpecker-server/postgresql.nix Normal file
View file

@ -0,0 +1,18 @@
# Sources for this configuration:
# - https://github.com/NixOS/nixpkgs/blob/dce84c46d780b20c064d5dfb10d0686e0584a198/nixos/modules/services/web-apps/nextcloud.nix#L1069
{ config, pkgs, ... }:
{
services.postgresql = {
enable = true;
package = pkgs.postgresql_15;
ensureDatabases = [ "woodpecker-server" ];
ensureUsers = [
{
name = "woodpecker-server";
ensureDBOwnership = true;
}
];
};
}

44
config/hosts/woodpecker/woodpecker-server/woodpecker-server.nix Normal file
View file

@ -0,0 +1,44 @@
# Sources for this configuration:
# - https://woodpecker-ci.org/docs/administration/deployment/nixos
# - https://woodpecker-ci.org/docs/administration/server-config
# - https://woodpecker-ci.org/docs/administration/database
# - https://woodpecker-ci.org/docs/administration/forges/forgejo
# - https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING
{ config, pkgs, ... }:
{
services.woodpecker-server = {
enable = true;
package = pkgs.woodpecker-server;
environment = {
WOODPECKER_HOST = "https://woodpecker.hamburg.ccc.de";
WOODPECKER_SERVER_ADDR = ":8001";
WOODPECKER_GRPC_ADDR = ":9000";
WOODPECKER_ADMIN = "june";
WOODPECKER_OPEN = "true";
WOODPECKER_ORGS = "CCCHH";
WOODPECKER_DATABASE_DRIVER = "postgres";
WOODPECKER_DATABASE_DATASOURCE = "postgresql://woodpecker-server@/woodpecker-server?host=/run/postgresql";
WOODPECKER_FORGEJO = "true";
WOODPECKER_FORGEJO_URL = "https://git.hamburg.ccc.de";
WOODPECKER_LIMIT_MEM = "6442450944"; # 6GB
# Set via enviornmentFile:
# WOODPECKER_FORGEJO_CLIENT
# WOODPECKER_FORGEJO_SECRET
};
environmentFile = [ "/run/secrets/woodpecker_server_environment_file" ];
};
systemd.services.woodpecker-server.serviceConfig = {
User = "woodpecker-server";
Group = "woodpecker-server";
};
sops.secrets."woodpecker_server_environment_file" = {
mode = "0440";
owner = "root";
group = "root";
restartUnits = [ "woodpecker-server.service" ];
};
}

6
deployment_configuration.json
View file

@ -6,9 +6,15 @@
"matrix": {
"targetHostname": "matrix-intern.hamburg.ccc.de"
},
"public-web-static": {
"targetHostname": "public-web-static-intern.hamburg.ccc.de"
},
"git": {
"targetHostname": "git.hamburg.ccc.de"
},
"forgejo-actions-runner": {
"targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de"
},
"woodpecker": {
"targetHostname": "woodpecker-intern.hamburg.ccc.de"
},

18
flake.lock generated
View file

@ -19,11 +19,11 @@
},
"nixpkgs": {
"locked": {
"lastModified": 1778430510,
"narHash": "sha256-Ti+ZBvW6yrWWAg2szExVTwCd4qOJ3KlVr1tFHfyfi8Q=",
"lastModified": 1775002709,
"narHash": "sha256-d3Yx83vSrN+2z/loBh4mJpyRqr9aAJqlke4TkpFmRJA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "8fd9daa3db09ced9700431c5b7ad0e8ba199b575",
"rev": "bcd464ccd2a1a7cd09aa2f8d4ffba83b761b1d0e",
"type": "github"
},
"original": {
@ -35,11 +35,11 @@
},
"nixpkgs-unstable": {
"locked": {
"lastModified": 1778672786,
"narHash": "sha256-Blg88K1jwG+P0Mr27+rKMFCufdrWkV3wWh9AdYtz0FQ=",
"lastModified": 1775126147,
"narHash": "sha256-J0dZU4atgcfo4QvM9D92uQ0Oe1eLTxBVXjJzdEMQpD0=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "eef00dfd8a712b34af845f9350bac681b1228bd1",
"rev": "8d8c1fa5b412c223ffa47410867813290cdedfef",
"type": "github"
},
"original": {
@ -64,11 +64,11 @@
]
},
"locked": {
"lastModified": 1777944972,
"narHash": "sha256-VfGRo1qTBKOe3s2gOv8LSoA6Fk19PvBlwQ1ECN0Evn8=",
"lastModified": 1775188331,
"narHash": "sha256-/0BoSi0Dg0ON7IW0oscM12WSPBaMSCn36XTt0lHZoy8=",
"owner": "Mic92",
"repo": "sops-nix",
"rev": "c591bf665727040c6cc5cb409079acb22dcce33c",
"rev": "8f093d0d2f08f37317778bd94db5951d6cce6c46",
"type": "github"
},
"original": {

11
flake.nix
View file

@ -159,6 +159,17 @@
];
};
woodpecker = nixpkgs.lib.nixosSystem {
inherit system specialArgs;
modules = [
self.nixosModules.common
self.nixosModules.proxmox-vm
sops-nix.nixosModules.sops
self.nixosModules.prometheus-exporter
./config/hosts/woodpecker
];
};
penpot = nixpkgs.lib.nixosSystem {
inherit system specialArgs;
modules = [