diff --git a/config/hosts/public-web-static/nginx.nix b/config/hosts/public-web-static/nginx.nix index 2e94ebf..898df39 100644 --- a/config/hosts/public-web-static/nginx.nix +++ b/config/hosts/public-web-static/nginx.nix @@ -6,7 +6,7 @@ appendHttpConfig = '' access_log off; - # load the DI-Day redirect map from the webroot + # load the DID redirect map from the webroot map $request_uri $did_redirect_target { include /var/www/diday.org/nginx-redirects.conf; } diff --git a/config/hosts/public-web-static/secrets.yaml b/config/hosts/public-web-static/secrets.yaml index e8080d8..e1f1a5b 100644 --- a/config/hosts/public-web-static/secrets.yaml +++ b/config/hosts/public-web-static/secrets.yaml @@ -1,6 +1,6 @@ spaceapid_config_ccchh_credentials: ENC[AES256_GCM,data:5IClrKKMO/AztQuGabrnoRFItYNeEmVWGeafomVO94pL1RKzL1sCxBxnmzvJFPb/8Y+6FXMh+Mim4DP8B2RaJMLpmqCv+76N/5+527SZ6gn9i2Klg6q0kD9RzJv40qHq/NYLCa24tpcZDt7eB0EOgqLsKUmtX2LrQjjnN3NzjAevJGKQ5ypnb7xygjft2KrpvlR1hMnZ0XpSLDTNR1AmImxE24JtDaJKzwXbptr2IZvm1UFkNslxdqHPjN+N8+MSSLhqHy/FdcY2ADvsTX1jtjnjkb+9E30QOeCiFPKSmWtSGiQ9sPcQna1yr717Vk0EiNSAWDQ2fMZyJUgBXG6w3wiZbxfJmxvshLPs5KguF9NHER+Seps1QiE0p16c0IS/0Y24UYrK2GyUIcSReGufjxUFGTJHFSsNANac34H/RTs7BkoZ,iv:8WzTRaXVeH5GKmigMVTLVBnhy6nXZnTZHLAYHcqDs2s=,tag:jTdgz0gmruMWWDBQ3h70vw==,type:str] staging.diday.org: - lego.env: ENC[AES256_GCM,data:PCah9T6gKMADx47bhT5fTcylnKjC8ZDjZl4E4FJRa1zUmihLe8hj65w=,iv:IrIgBPHvaQx2bjrUapzmcsMoQ+Md4edsJQmL+ykJddE=,tag:SV8igeQ2/o7V3oJUdYMc2Q==,type:str] + lego.env: ENC[AES256_GCM,data:FHCHBrjapNGSAtUnDTMZfeAZJqZV65d8COBJF8lzZmNBiw0jXyrmJ6rnUbYmnPN54T+1e8V0dzkdqmYX708tpFWagOPPQ9Ko+D+lV5yJ4hj/lhunuPSetWC/5dGBfN6CbA==,iv:WZ8CWu40ToF2mbpSUR6pDdUa6jcWPIUsWhVaGGBwx1E=,tag:8CohD3CwcUm2LzAJ8Lfimg==,type:str] sops: age: - recipient: age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d @@ -21,8 +21,8 @@ sops: ZE9rN3R4aHRXR0dBc2oxcEYrL1lxZncKuVocF84+ge1gyzfNjIxhwNgd8+kJIpxh yREbS2mrQ2zvSMtw9OoA0KJSpoHZfIiCwn2uYkQDPiGB/721JmA12Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-02-27T19:45:05Z" - mac: ENC[AES256_GCM,data:7tjKwRlcOHEg+CU5BP20gzjLK2YFTDtoHmQlsQsiy4JjRNIeVDWtzTnwsMwQ9KuDaGaJqL8Tgmu7nUZyDPS44G58by19oLIRRFj1emaNUigJQGCqNM5zKA9wF7OZKpnK0y3adu7ydNrtoBvw//9vWPZ0WMUwJXHNsyKMOHs36Yo=,iv:kIaDPhrbDMogNAgOVYvyDeAgc/FmzwHANoB+O9WGuV0=,tag:J3jejVDNGLquiiBkNiHbtQ==,type:str] + lastmodified: "2026-02-27T20:40:06Z" + mac: ENC[AES256_GCM,data:Nsburro0nSV8CLZsxLaFrwsE5EIz8qQOlclNynbRT03XkfaPN2Pup8UWg9QL34KGcGUweqtytxZvLWjwfJYEsIkLqi4ZfrpXpEfBowq5aNbWHzDJDW5QqZKaUPmMQxiPVm1EhXmyvfVdFEueOhfFLbuNUSvNWaFk/7l2utTeLrs=,iv:dSJDVYGdaunvRqj+EkPGy3qxR9suV0s2Mm26silX24M=,tag:hqA+4FpP2PwatRMnZUcUqw==,type:str] pgp: - created_at: "2026-02-17T22:22:02Z" enc: |- diff --git a/config/hosts/public-web-static/virtualHosts/staging.diday.org.nix b/config/hosts/public-web-static/virtualHosts/staging.diday.org.nix index 35a301d..b165348 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.diday.org.nix +++ b/config/hosts/public-web-static/virtualHosts/staging.diday.org.nix @@ -7,15 +7,16 @@ let in { security.acme.certs."${domain}" = { - domain = "*.diday.org"; + domain = "staging.diday.org"; + extraDomainNames = [ "*.staging.diday.org" ]; group = "nginx"; - server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + dnsResolver = "45.54.76.1:53"; dnsProvider = "desec"; environmentFile = config.sops.secrets."staging.diday.org/lego.env".path; }; services.nginx.virtualHosts = { - "${domain}" = { + "*.${domain}" = { useACMEHost = "${domain}"; forceSSL = true; @@ -41,10 +42,33 @@ in # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; + port_in_redirect off; error_page 404 /404.html; - port_in_redirect off; + location / { + if ($host ~* "^(pr\d+)\.staging\.diday\.org$") { + root /var/www/staging.diday.org/$1/; + } + + index index.html; + try_files $uri $uri/ =404; + + # deny access to the redirects config file + location = /nginx-redirects.conf { + deny all; + return 404; + } + + # dynamically redirect the user to the language they prefer + location = / { + set $lang "de"; + if ($http_accept_language ~* "^en") { + set $lang "en"; + } + return 302 /$lang/; + } + } ''; }; };