From be8581c2d0c806900316380db72ed14df418b0fc Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Tue, 17 Feb 2026 22:56:53 +0100
Subject: [PATCH] configure diday website dpeloyment

---
 .../forgejo-actions-runner.nix                | 29 ++++++++
 .../forgejo-actions-runner/networking.nix     | 11 ++-
 .../hosts/forgejo-actions-runner/secrets.yaml |  7 +-
 .../virtualHosts/default.nix                  |  2 +
 .../virtualHosts/did.hamburg.ccc.de.nix       | 68 +++++++++++++++++++
 .../staging.did.hamburg.ccc.de.nix            | 59 ++++++++++++++++
 6 files changed, 170 insertions(+), 6 deletions(-)
 create mode 100644 config/hosts/public-web-static/virtualHosts/did.hamburg.ccc.de.nix
 create mode 100644 config/hosts/public-web-static/virtualHosts/staging.did.hamburg.ccc.de.nix

diff --git a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix
index 376fde6..d5a93c1 100644
--- a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix
+++ b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix
@@ -15,6 +15,29 @@
       tokenFile = "/run/secrets/forgejo_actions_runner_registration_token";
       labels = [ "docker:docker://node:current-bookworm" ];
       settings = {
+        cache = {
+          proxy_port = 45540;
+        };
+        runner = {
+          capacity = 4;
+        };
+      };
+    };
+
+    instances.ccchh-codeberg-org-diday = {
+      enable = true;
+      name = "ccchh runner for codeberg.org/di-day";
+      url = "https://codeberg.org/";
+      tokenFile = "/run/secrets/codeberg_org_diday_runner_registration_token";
+      labels = [
+        "docker:docker://node:current-bookworm"
+        "debian-latest:docker://node:current-bookworm"
+        "alpine-latest:docker://node:current-alpine"
+      ];
+      settings = {
+        cache = {
+          proxy_port = 45541;
+        };
         runner = {
           capacity = 4;
         };
@@ -28,4 +51,10 @@
     group = "root";
     restartUnits = [ "gitea-runner-ccchh\\x2dforgejo\\x2dglobal\\x2ddocker.service" ];
   };
+  sops.secrets."codeberg_org_diday_runner_registration_token" = {
+    mode = "0440";
+    owner = "root";
+    group = "root";
+    restartUnits = [ "gitea-runner-ccchh\\x2dcodeberg\\x2dorg\\x2ddiday.service" ];
+  };
 }
diff --git a/config/hosts/forgejo-actions-runner/networking.nix b/config/hosts/forgejo-actions-runner/networking.nix
index 8990224..71aa47a 100644
--- a/config/hosts/forgejo-actions-runner/networking.nix
+++ b/config/hosts/forgejo-actions-runner/networking.nix
@@ -1,6 +1,8 @@
-{ ... }:
-
-{
+{ lib, config, ... }:
+let
+  runnerInstances = lib.attrValues config.services.gitea-actions-runner.instances;
+  runnerCachePorts = lib.map (i: i.settings.cache.proxy_port) runnerInstances;
+in {
   networking = {
     interfaces.net0 = {
       ipv4.addresses = [
@@ -19,4 +21,7 @@
     matchConfig.MACAddress = "1E:E0:4E:D0:DA:BE";
     linkConfig.Name = "net0";
   };
+
+  # open ports for runner cache proxy so that we can use the cache action
+  networking.firewall.allowedTCPPorts = runnerCachePorts;
 }
diff --git a/config/hosts/forgejo-actions-runner/secrets.yaml b/config/hosts/forgejo-actions-runner/secrets.yaml
index 5debd4d..79df4d5 100644
--- a/config/hosts/forgejo-actions-runner/secrets.yaml
+++ b/config/hosts/forgejo-actions-runner/secrets.yaml
@@ -1,4 +1,5 @@
 forgejo_actions_runner_registration_token: ENC[AES256_GCM,data:gAR2ffrffeuuaOwO6mWcif2e6csKIVoLqrux19iBlrTkFHgo/IlHVL0eSUGqnw==,iv:i12yx/quwT9kj6fPECszo/iG9cVhKX+7dAA6/N09URc=,tag:eO+mWhumgvWzQxYqiRUXbA==,type:str]
+codeberg_org_diday_runner_registration_token: ENC[AES256_GCM,data:thTsLo/eXVPbXt4b8ldae+kGnOR4GbYKOqr1hVJgaL7wZ5GgqWSPcOuhow96Jw==,iv:Fzi+DsKj+4PrwQGEosUntm9l7s78NwzhkmF6e/sfF+s=,tag:oa7mnbGR0J5xi9ruCgRJtQ==,type:str]
 sops:
   age:
     - recipient: age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d
@@ -19,8 +20,8 @@ sops:
         TklLZWM0cDBKaGJJM2tQQWRLZXhFYU0Ko7cyvzMvwlGCCP3UAX1+5uTI4srhZ5l9
         DPaHySiC+rLy+8R9UqEuTKbP4/Aw4NZ/UcfjNnVkqqqNJIODmLoOhg==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2024-05-26T00:29:52Z"
-  mac: ENC[AES256_GCM,data:c0261ungapxYViyviTpNsSJZs6OMQ8fyHNqBpvTBp9jEEbbvJBSbqJtwJvVDg8Kv3xrZjC0jZSQOWkvYJlb2PFuW2/GXy5YpLCo7k3ZhXhUbotsDFPe30bvfVxZWhMpaS2rEXlxCqHeVmqoslL34jpLuFx04FmoBh91yjDMoiTw=,iv:njo4Bu4FzAbU6t7CSbqw7hcJ960oqsIKuV/qUGF8c1I=,tag:dzFxW8vyZsDFkd/ARkt5jw==,type:str]
+  lastmodified: "2026-02-18T09:51:37Z"
+  mac: ENC[AES256_GCM,data:4fWsE3U6WxRqlKHKC4ipE+RQ7MPjiZZcTFMSblxty7JjJHAdKUHbthFB+R8gIWxZEjX5WG+IPgUP+AcCLSI9fdcXMqIFMuDun2hiktwqxzLPGYAoCXdTBAd1uCUagvB/rFty6y8umD4J5ITgEGba9pvGdUcng9WVRV+LGDftS1g=,iv:tD9tlcylQWapNCARxPXrKofZXf2BHTt2c4PQqFNj6X8=,tag:pQ8lOqJEFCcCcJot3BYTmQ==,type:str]
   pgp:
     - created_at: "2026-02-17T22:21:57Z"
       enc: |-
@@ -145,4 +146,4 @@ sops:
         -----END PGP MESSAGE-----
       fp: B71138A6A8964A3C3B8899857B4F70C356765BAB
   unencrypted_suffix: _unencrypted
-  version: 3.8.1
+  version: 3.11.0
diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix
index 3532c25..35da7f5 100644
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@@ -18,6 +18,8 @@
     ./staging.hackertours.hamburg.ccc.de.nix
     ./staging.hamburg.ccc.de.nix
     ./www.hamburg.ccc.de.nix
+    ./staging.did.hamburg.ccc.de.nix
+    ./did.hamburg.ccc.de.nix
     ./historic-easterhegg
   ];
 }
diff --git a/config/hosts/public-web-static/virtualHosts/did.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/did.hamburg.ccc.de.nix
new file mode 100644
index 0000000..923053e
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/did.hamburg.ccc.de.nix
@@ -0,0 +1,68 @@
+{ ... }:
+
+let
+  domain = "did.hamburg.ccc.de";
+  dataDir = "/var/www/${domain}";
+  deployUser = "diday-website-deploy";
+in
+{
+  # security.acme.certs."${domain}".extraDomainNames = [];
+
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+
+        error_page 404 /404.html;
+
+        port_in_redirect off;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+
+  users.users."${deployUser}" = {
+    isNormalUser = true;
+    group = "${deployUser}";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBitESG5AvHnHLPo+kdsV5l+wzSTqCltkk0IFAWGqBcl codeberg-actions-runner"
+    ];
+  };
+  users.groups."${deployUser}" = { };
+}
diff --git a/config/hosts/public-web-static/virtualHosts/staging.did.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.did.hamburg.ccc.de.nix
new file mode 100644
index 0000000..ad2b246
--- /dev/null
+++ b/config/hosts/public-web-static/virtualHosts/staging.did.hamburg.ccc.de.nix
@@ -0,0 +1,59 @@
+{ ... }:
+
+let
+  domain = "staging.did.hamburg.ccc.de";
+  dataDir = "/var/www/${domain}";
+  deployUser = "diday-website-deploy";
+in
+{
+  # security.acme.certs."${domain}".extraDomainNames = [];
+
+  services.nginx.virtualHosts = {
+    "acme-${domain}" = {
+      enableACME = true;
+      serverName = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "${domain}" = {
+      forceSSL = true;
+      useACMEHost = "${domain}";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          proxyProtocol = true;
+        }
+      ];
+
+      root = "${dataDir}";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+
+        error_page 404 /404.html;
+
+        port_in_redirect off;
+      '';
+    };
+  };
+
+  systemd.tmpfiles.rules = [
+    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
+  ];
+}