From c9e27a5bb6ad80362a2cb573a36045532200d806 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 7 Jan 2026 19:20:50 +0100 Subject: [PATCH 01/13] mjolnir: use cloud-init for network configuration and move to new net. Switch to cloud-init to align with the Ansible infra. Also move to new network and hostname. --- config/hosts/mjolnir/networking.nix | 28 +++++++++++++++++----------- deployment_configuration.json | 2 +- 2 files changed, 18 insertions(+), 12 deletions(-) diff --git a/config/hosts/mjolnir/networking.nix b/config/hosts/mjolnir/networking.nix index a441814..4d4693d 100644 --- a/config/hosts/mjolnir/networking.nix +++ b/config/hosts/mjolnir/networking.nix @@ -1,18 +1,24 @@ { ... }: { - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "172.31.17.161"; - prefixLength = 25; - } + networking.useDHCP = false; + + services.cloud-init = { + enable = true; + network.enable = true; + + # Version without ssh of: + # https://github.com/NixOS/nixpkgs/blob/3c9db02515ef1d9b6b709fc60ba9a540957f661c/nixos/modules/services/system/cloud-init.nix#L145 + # So we don't get ssh hostkey regenerations. + settings.cloud_config_modules = [ + "disk_setup" + "mounts" + "ssh-import-id" + "set-passwords" + "timezone" + "disable-ec2-metadata" + "runcmd" ]; - }; - defaultGateway = "172.31.17.129"; - nameservers = [ "212.12.50.158" "192.76.134.90" ]; - search = [ "hamburg.ccc.de" ]; }; systemd.network.links."10-net0" = { diff --git a/deployment_configuration.json b/deployment_configuration.json index 9c2f99a..929f2be 100644 --- a/deployment_configuration.json +++ b/deployment_configuration.json @@ -16,7 +16,7 @@ "targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de" }, "mjolnir": { - "targetHostname": "mjolnir-intern.hamburg.ccc.de" + "targetHostname": "mjolnir.hosts.hamburg.ccc.de" }, "woodpecker": { "targetHostname": "woodpecker-intern.hamburg.ccc.de" From 79952f8c63bd91d4edfc8baf1f140d91252e3cf1 Mon Sep 17 00:00:00 2001 From: June Date: Sat, 17 Jan 2026 22:06:24 +0100 Subject: [PATCH 02/13] hydra: remove hydra as its being decommissioned nix-infra is built back in general, so remove hydra as well. --- config/hosts/hydra/configuration.nix | 9 ----- config/hosts/hydra/default.nix | 11 ------ config/hosts/hydra/hydra.nix | 15 ------- config/hosts/hydra/networking.nix | 22 ----------- config/hosts/hydra/nginx.nix | 58 ---------------------------- config/hosts/hydra/nix.nix | 10 ----- 6 files changed, 125 deletions(-) delete mode 100644 config/hosts/hydra/configuration.nix delete mode 100644 config/hosts/hydra/default.nix delete mode 100644 config/hosts/hydra/hydra.nix delete mode 100644 config/hosts/hydra/networking.nix delete mode 100644 config/hosts/hydra/nginx.nix delete mode 100644 config/hosts/hydra/nix.nix diff --git a/config/hosts/hydra/configuration.nix b/config/hosts/hydra/configuration.nix deleted file mode 100644 index a4c612e..0000000 --- a/config/hosts/hydra/configuration.nix +++ /dev/null @@ -1,9 +0,0 @@ -{ ... }: - -{ - networking = { - hostName = "hydra"; - }; - - system.stateVersion = "24.05"; -} diff --git a/config/hosts/hydra/default.nix b/config/hosts/hydra/default.nix deleted file mode 100644 index f621711..0000000 --- a/config/hosts/hydra/default.nix +++ /dev/null @@ -1,11 +0,0 @@ -{ ... }: - -{ - imports = [ - ./configuration.nix - ./hydra.nix - ./networking.nix - ./nginx.nix - ./nix.nix - ]; -} diff --git a/config/hosts/hydra/hydra.nix b/config/hosts/hydra/hydra.nix deleted file mode 100644 index f315710..0000000 --- a/config/hosts/hydra/hydra.nix +++ /dev/null @@ -1,15 +0,0 @@ -{ ... }: - -{ - services.hydra = { - enable = true; - listenHost = "localhost"; - port = 3000; - hydraURL = "https://hydra.hamburg.ccc.de/"; - # E-Mail configuration requires some work/investigation still. - notificationSender = "no-reply@hydra.hamburg.ccc.de"; - useSubstitutes = true; - minimumDiskFree = 8; - minimumDiskFreeEvaluator = 2; - }; -} diff --git a/config/hosts/hydra/networking.nix b/config/hosts/hydra/networking.nix deleted file mode 100644 index 82cec55..0000000 --- a/config/hosts/hydra/networking.nix +++ /dev/null @@ -1,22 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "172.31.17.163"; - prefixLength = 25; - } - ]; - }; - defaultGateway = "172.31.17.129"; - nameservers = [ "212.12.50.158" "192.76.134.90" ]; - search = [ "hamburg.ccc.de" ]; - }; - - systemd.network.links."10-net0" = { - matchConfig.MACAddress = "BC:24:11:45:7C:D6"; - linkConfig.Name = "net0"; - }; -} diff --git a/config/hosts/hydra/nginx.nix b/config/hosts/hydra/nginx.nix deleted file mode 100644 index 49ca2e1..0000000 --- a/config/hosts/hydra/nginx.nix +++ /dev/null @@ -1,58 +0,0 @@ -{ config, pkgs, ... }: - -let - domain = "hydra.hamburg.ccc.de"; -in -{ - services.nginx = { - enable = true; - - virtualHosts = { - "acme-${domain}" = { - default = true; - enableACME = true; - serverName = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - - "${domain}" = { - default = true; - forceSSL = true; - useACMEHost = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - locations."/" = { - proxyPass = "http://${config.services.hydra.listenHost}:${builtins.toString config.services.hydra.port}"; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 172.31.17.140; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - }; - }; - - networking.firewall.allowedTCPPorts = [ 8443 31820 ]; - networking.firewall.allowedUDPPorts = [ 8443 ]; -} diff --git a/config/hosts/hydra/nix.nix b/config/hosts/hydra/nix.nix deleted file mode 100644 index b95e469..0000000 --- a/config/hosts/hydra/nix.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: - -{ - # Allow Hydra to fetch flake inputs. - nix.settings.allowed-uris = [ - "github:" - "https://github.com/" - "https://git.hamburg.ccc.de/" - ]; -} From 28d82f149d296155dfaf04c9aab8ecd2ab89a871 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 21:09:15 +0100 Subject: [PATCH 03/13] status: remove status as it got replaced by a ansible-managed Gatus --- config/hosts/public-reverse-proxy/nginx.nix | 17 --- config/hosts/status/configuration.nix | 10 -- config/hosts/status/default.nix | 10 -- config/hosts/status/networking.nix | 29 ---- config/hosts/status/nginx.nix | 149 -------------------- config/hosts/status/uptime-kuma.nix | 7 - flake.nix | 10 -- 7 files changed, 232 deletions(-) delete mode 100644 config/hosts/status/configuration.nix delete mode 100644 config/hosts/status/default.nix delete mode 100644 config/hosts/status/networking.nix delete mode 100644 config/hosts/status/nginx.nix delete mode 100644 config/hosts/status/uptime-kuma.nix diff --git a/config/hosts/public-reverse-proxy/nginx.nix b/config/hosts/public-reverse-proxy/nginx.nix index 507b71a..68c30c2 100644 --- a/config/hosts/public-reverse-proxy/nginx.nix +++ b/config/hosts/public-reverse-proxy/nginx.nix @@ -6,22 +6,6 @@ { config, pkgs, ... }: { - services.nginx.streamConfig = '' - map $ssl_preread_server_name $address { - status.ccchh.net 10.31.206.15:8443; - status.hamburg.ccc.de 10.31.206.15:8443; - } - - # Listen on port 443 as a reverse proxy and use PROXY Protocol for the - # upstreams. - server { - listen 0.0.0.0:443; - proxy_pass $address; - ssl_preread on; - proxy_protocol on; - } - ''; - services.nginx.appendHttpConfig = '' map $host $upstream_acme_challenge_host { club-assistant.ccchh.net 10.31.208.10; @@ -35,7 +19,6 @@ zigbee2mqtt.ccchh.net 10.31.208.25:31820; esphome.ccchh.net 10.31.208.24:31820; proxmox-backup-server.ccchh.net 10.31.208.28; - status.ccchh.net 10.31.206.15:31820; default ""; } ''; diff --git a/config/hosts/status/configuration.nix b/config/hosts/status/configuration.nix deleted file mode 100644 index c36dc63..0000000 --- a/config/hosts/status/configuration.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: - -{ - networking = { - hostName = "status"; - domain = "z9.ccchh.net"; - }; - - system.stateVersion = "24.05"; -} diff --git a/config/hosts/status/default.nix b/config/hosts/status/default.nix deleted file mode 100644 index d8644c5..0000000 --- a/config/hosts/status/default.nix +++ /dev/null @@ -1,10 +0,0 @@ -{ ... }: - -{ - imports = [ - ./configuration.nix - ./networking.nix - ./nginx.nix - ./uptime-kuma.nix - ]; -} diff --git a/config/hosts/status/networking.nix b/config/hosts/status/networking.nix deleted file mode 100644 index 0bff4b5..0000000 --- a/config/hosts/status/networking.nix +++ /dev/null @@ -1,29 +0,0 @@ -{ ... }: - -{ - networking = { - interfaces.net0 = { - ipv4.addresses = [ - { - address = "10.31.206.15"; - prefixLength = 23; - } - ]; - ipv6.addresses = [ - { - address = "2a07:c481:1:ce::a"; - prefixLength = 64; - } - ]; - }; - defaultGateway = "10.31.206.1"; - defaultGateway6 = "2a07:c481:1:ce::1"; - nameservers = [ "10.31.206.1" "2a07:c481:1:ce::1" ]; - search = [ "z9.ccchh.net" ]; - }; - - systemd.network.links."10-net0" = { - matchConfig.MACAddress = "BC:24:11:79:D3:E1"; - linkConfig.Name = "net0"; - }; -} diff --git a/config/hosts/status/nginx.nix b/config/hosts/status/nginx.nix deleted file mode 100644 index 8eff61c..0000000 --- a/config/hosts/status/nginx.nix +++ /dev/null @@ -1,149 +0,0 @@ -# Sources for this configuration: -# - https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy - -{ config, ... }: - -{ - services.nginx = { - enable = true; - - virtualHosts = { - "status.hamburg.ccc.de" = { - forceSSL = true; - enableACME = true; - serverName = "status.hamburg.ccc.de"; - - listen = [ - { - addr = "[::]"; - port = 80; - } - { - addr = "[::]"; - port = 443; - ssl = true; - } - ]; - - locations."/" = { - proxyPass = "http://localhost:3001"; - proxyWebsockets = true; - }; - }; - "status-proxyprotocol.hamburg.ccc.de" = { - forceSSL = true; - useACMEHost = "status.hamburg.ccc.de"; - serverName = "status.hamburg.ccc.de"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - locations."/" = { - proxyPass = "http://localhost:3001"; - proxyWebsockets = true; - }; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 10.31.206.11; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - "status.ccchh.net" = { - forceSSL = true; - useACMEHost = "status.hamburg.ccc.de"; - serverName = "status.ccchh.net"; - - listen = [ - { - addr = "[::]"; - port = 80; - } - { - addr = "[::]"; - port = 443; - ssl = true; - } - ]; - - globalRedirect = "status.hamburg.ccc.de"; - redirectCode = 307; - }; - "status-proxyprotocol.ccchh.net" = { - forceSSL = true; - useACMEHost = "status.hamburg.ccc.de"; - serverName = "status.ccchh.net"; - - listen = [ - { - addr = "0.0.0.0"; - port = 8443; - ssl = true; - proxyProtocol = true; - } - ]; - - globalRedirect = "status.hamburg.ccc.de"; - redirectCode = 307; - - extraConfig = '' - # Make use of the ngx_http_realip_module to set the $remote_addr and - # $remote_port to the client address and client port, when using proxy - # protocol. - # First set our proxy protocol proxy as trusted. - set_real_ip_from 10.31.206.11; - # Then tell the realip_module to get the addreses from the proxy protocol - # header. - real_ip_header proxy_protocol; - ''; - }; - "status.z9.ccchh.net" = { - forceSSL = true; - useACMEHost = "status.hamburg.ccc.de"; - serverName = "status.z9.ccchh.net"; - - listen = [ - { - addr = "0.0.0.0"; - port = 80; - } - { - addr = "[::]"; - port = 80; - } - { - addr = "0.0.0.0"; - port = 443; - ssl = true; - } - { - addr = "[::]"; - port = 443; - ssl = true; - } - ]; - - globalRedirect = "status.hamburg.ccc.de"; - redirectCode = 307; - }; - }; - }; - - security.acme.certs."status.hamburg.ccc.de".extraDomainNames = [ - "status.ccchh.net" - "status.z9.ccchh.net" - ]; - - networking.firewall.allowedTCPPorts = [ 80 443 8443 ]; -} diff --git a/config/hosts/status/uptime-kuma.nix b/config/hosts/status/uptime-kuma.nix deleted file mode 100644 index 02411f2..0000000 --- a/config/hosts/status/uptime-kuma.nix +++ /dev/null @@ -1,7 +0,0 @@ -{ ... }: - -{ - services.uptime-kuma = { - enable = true; - }; -} diff --git a/flake.nix b/flake.nix index be9e8fb..ccd35db 100644 --- a/flake.nix +++ b/flake.nix @@ -201,16 +201,6 @@ ]; }; - status = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - sops-nix.nixosModules.sops - ./config/hosts/status - ]; - }; - penpot = nixpkgs.lib.nixosSystem { inherit system specialArgs; modules = [ From e51e6319187b4507747755db57b91f86040a85f9 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 21:45:50 +0100 Subject: [PATCH 04/13] flake.lock: Update MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Flake lock file updates: • Updated input 'nixpkgs': 'github:nixos/nixpkgs/c8aa8cc00a5cb57fada0851a038d35c08a36a2bb' (2025-10-22) → 'github:nixos/nixpkgs/ac62194c3917d5f474c1a844b6fd6da2db95077d' (2026-01-02) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/02f2cb8e0feb4596d20cc52fda73ccee960e3538' (2025-10-24) → 'github:nixos/nixpkgs/3327b113f2ef698d380df83fbccefad7e83d7769' (2026-01-17) • Updated input 'sops-nix': 'github:Mic92/sops-nix/5a7d18b5c55642df5c432aadb757140edfeb70b3' (2025-10-20) → 'github:Mic92/sops-nix/5e8fae80726b66e9fec023d21cd3b3e638597aa9' (2026-01-18) --- flake.lock | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/flake.lock b/flake.lock index 76a3fc3..fce4089 100644 --- a/flake.lock +++ b/flake.lock @@ -19,11 +19,11 @@ }, "nixpkgs": { "locked": { - "lastModified": 1761173472, - "narHash": "sha256-m9W0dYXflzeGgKNravKJvTMR4Qqa2MVD11AwlGMufeE=", + "lastModified": 1767313136, + "narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c8aa8cc00a5cb57fada0851a038d35c08a36a2bb", + "rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d", "type": "github" }, "original": { @@ -35,11 +35,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1761349956, - "narHash": "sha256-tH3wHnOJms+U4k/rK2Nn1RfBrhffX92jLP/2VndSn0w=", + "lastModified": 1768661221, + "narHash": "sha256-MJwOjrIISfOpdI9x4C+5WFQXvHtOuj5mqLZ4TMEtk1M=", "owner": "nixos", "repo": "nixpkgs", - "rev": "02f2cb8e0feb4596d20cc52fda73ccee960e3538", + "rev": "3327b113f2ef698d380df83fbccefad7e83d7769", "type": "github" }, "original": { @@ -64,11 +64,11 @@ ] }, "locked": { - "lastModified": 1760998189, - "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=", + "lastModified": 1768709255, + "narHash": "sha256-aigyBfxI20FRtqajVMYXHtj5gHXENY2gLAXEhfJ8/WM=", "owner": "Mic92", "repo": "sops-nix", - "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3", + "rev": "5e8fae80726b66e9fec023d21cd3b3e638597aa9", "type": "github" }, "original": { From 0ea41b3141f373bbe9388110c245500a21963f70 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 21:58:56 +0100 Subject: [PATCH 05/13] remove more hydra-related config --- deployment_configuration.json | 3 --- flake.nix | 15 --------------- 2 files changed, 18 deletions(-) diff --git a/deployment_configuration.json b/deployment_configuration.json index 929f2be..1bb46e7 100644 --- a/deployment_configuration.json +++ b/deployment_configuration.json @@ -23,9 +23,6 @@ }, "penpot": { "targetHostname": "penpot-intern.hamburg.ccc.de" - }, - "hydra": { - "targetHostname": "hydra-intern.hamburg.ccc.de" } } } diff --git a/flake.nix b/flake.nix index ccd35db..bee5868 100644 --- a/flake.nix +++ b/flake.nix @@ -211,16 +211,6 @@ ./config/hosts/penpot ]; }; - - hydra = nixpkgs.lib.nixosSystem { - inherit system specialArgs; - modules = [ - self.nixosModules.common - self.nixosModules.proxmox-vm - self.nixosModules.prometheus-exporter - ./config/hosts/hydra - ]; - }; }; # packages.x86_64-linux = { @@ -249,10 +239,5 @@ # }; formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt; - - hydraJobs = { - inherit (self) packages; - nixosConfigurations = builtins.mapAttrs (name: value: value.config.system.build.toplevel) self.nixosConfigurations; - }; }; } From 30b6d54f953501331ebf9cc5cffb2c8b464a5fc5 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 22:48:13 +0100 Subject: [PATCH 06/13] Upgrade to NixOS 25.11 mjolnir seems to be broken. --- flake.lock | 8 ++++---- flake.nix | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/flake.lock b/flake.lock index fce4089..3230d75 100644 --- a/flake.lock +++ b/flake.lock @@ -19,16 +19,16 @@ }, "nixpkgs": { "locked": { - "lastModified": 1767313136, - "narHash": "sha256-16KkgfdYqjaeRGBaYsNrhPRRENs0qzkQVUooNHtoy2w=", + "lastModified": 1768621446, + "narHash": "sha256-6YwHV1cjv6arXdF/PQc365h1j+Qje3Pydk501Rm4Q+4=", "owner": "nixos", "repo": "nixpkgs", - "rev": "ac62194c3917d5f474c1a844b6fd6da2db95077d", + "rev": "72ac591e737060deab2b86d6952babd1f896d7c5", "type": "github" }, "original": { "owner": "nixos", - "ref": "nixos-25.05", + "ref": "nixos-25.11", "repo": "nixpkgs", "type": "github" } diff --git a/flake.nix b/flake.nix index bee5868..fb48d3f 100644 --- a/flake.nix +++ b/flake.nix @@ -5,7 +5,7 @@ # Use the NixOS small channels for nixpkgs. # https://nixos.org/manual/nixos/stable/#sec-upgrading # https://github.com/NixOS/nixpkgs - nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05"; + nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11"; nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable"; # # Add nixos-generators as an input. From 827c46941515c3e3a83400bbe68f412d6ed39662 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 18 Jan 2026 22:49:43 +0100 Subject: [PATCH 07/13] forgejo-actions-runner: forgejo-actions-runner is forgejo-runner now Also use package from stable instead of unstable. --- .../hosts/forgejo-actions-runner/forgejo-actions-runner.nix | 4 ++-- flake.nix | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix index 24e1472..376fde6 100644 --- a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix +++ b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix @@ -3,11 +3,11 @@ # - https://forgejo.org/docs/latest/user/actions/ # - https://docs.gitea.com/next/usage/actions/act-runner -{ config, pkgs-unstable, ... }: +{ config, pkgs, ... }: { services.gitea-actions-runner = { - package = pkgs-unstable.forgejo-actions-runner; + package = pkgs.forgejo-runner; instances.ccchh-forgejo-global-docker = { enable = true; name = "Global Docker Forgejo Actions Runner"; diff --git a/flake.nix b/flake.nix index fb48d3f..e976c25 100644 --- a/flake.nix +++ b/flake.nix @@ -147,7 +147,6 @@ ]; specialArgs = { inherit authorizedKeysRepo; - inherit pkgs-unstable; }; }; From 709afd0a1dfc14bbf213542bb4445d8cdb153892 Mon Sep 17 00:00:00 2001 From: June Date: Sun, 25 Jan 2026 20:44:07 +0100 Subject: [PATCH 08/13] Add cpu.ccc.de to static web host (under cpuccc.hamburg.ccc.de for now) --- .../virtualHosts/cpu.ccc.de.nix | 87 +++++++++++++++++++ .../virtualHosts/default.nix | 1 + 2 files changed, 88 insertions(+) create mode 100644 config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix diff --git a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix new file mode 100644 index 0000000..d0d01f3 --- /dev/null +++ b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix @@ -0,0 +1,87 @@ +{ ... }: + +let + # For now under cpuccc.hamburg.ccc.de. + domain = "cpuccc.hamburg.ccc.de"; + # dataDir = "/var/www/${domain}"; + dataDir = "/var/www/cpu.ccc.de"; + deployUser = "cpuccc-website-deploy"; +in +{ + services.nginx.virtualHosts = { + "acme-${domain}" = { + enableACME = true; + serverName = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 31820; + } + ]; + }; + + # https://git.hamburg.ccc.de/CCCHH/cpu.ccc.de/src/branch/main/nginx.conf + "${domain}" = { + forceSSL = true; + useACMEHost = "${domain}"; + + listen = [ + { + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + } + ]; + + root = "${dataDir}"; + + extraConfig = '' + index index.html; + default_type text/plain; + + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + + port_in_redirect off; + ''; + + locations."/" = { + tryFiles = "$uri $uri/ =404"; + + extraConfig = '' + location /feed/ { + default_type application/rss+xml; + types { + text/xml application/rss+xml; + } + } + + location /rss { + default_type application/rss+xml; + } + ''; + }; + }; + }; + + systemd.tmpfiles.rules = [ + "d ${dataDir} 0755 ${deployUser} ${deployUser}" + ]; + + users.users."${deployUser}" = { + isNormalUser = true; + group = "${deployUser}"; + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOnO7g/7mVVKnvkszto8m3nPljO/6qQc/34aEbrhKOvn deploy key for cpu.ccc.de" + ]; + }; + users.groups."${deployUser}" = { }; +} diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix index 793829a..3532c25 100644 --- a/config/hosts/public-web-static/virtualHosts/default.nix +++ b/config/hosts/public-web-static/virtualHosts/default.nix @@ -4,6 +4,7 @@ imports = [ ./branding-resources.hamburg.ccc.de.nix ./c3cat.de.nix + ./cpu.ccc.de.nix ./cryptoparty-hamburg.de.nix ./element-admin.hamburg.ccc.de.nix ./element.hamburg.ccc.de.nix From 193ccedbee7ab0bd2d67f120cc6a41407548f9b0 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 27 Jan 2026 15:36:23 +0100 Subject: [PATCH 09/13] public-web-static: setup cpu.ccc.de with redirects from aliases --- .../virtualHosts/cpu.ccc.de.nix | 41 +++++++++++++++++-- 1 file changed, 37 insertions(+), 4 deletions(-) diff --git a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix index d0d01f3..a6c67f8 100644 --- a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix @@ -1,13 +1,17 @@ { ... }: let - # For now under cpuccc.hamburg.ccc.de. - domain = "cpuccc.hamburg.ccc.de"; - # dataDir = "/var/www/${domain}"; - dataDir = "/var/www/cpu.ccc.de"; + domain = "cpu.ccc.de"; + dataDir = "/var/www/${domain}"; deployUser = "cpuccc-website-deploy"; in { + security.acme.certs."cpu.ccc.de".extraDomainNames = [ + "cpuccc.hamburg.ccc.de" + "lokal.ccc.de" + "local.ccc.de" + ]; + services.nginx.virtualHosts = { "acme-${domain}" = { enableACME = true; @@ -70,6 +74,35 @@ in ''; }; }; + + "cpuccc.hamburg.ccc.de" = { + forceSSL = true; + useACMEHost = "cpu.ccc.de"; + serverAliases = [ + "lokal.ccc.de" + "local.ccc.de" + ]; + + listen = [{ + addr = "0.0.0.0"; + port = 8443; + ssl = true; + proxyProtocol = true; + }]; + + locations."/".return = "302 https://cpu.ccc.de"; + + extraConfig = '' + # Make use of the ngx_http_realip_module to set the $remote_addr and + # $remote_port to the client address and client port, when using proxy + # protocol. + # First set our proxy protocol proxy as trusted. + set_real_ip_from 172.31.17.140; + # Then tell the realip_module to get the addreses from the proxy protocol + # header. + real_ip_header proxy_protocol; + ''; + }; }; systemd.tmpfiles.rules = [ From 62885a0095e9b2b0c61180c683ca25eaa30985d3 Mon Sep 17 00:00:00 2001 From: June Date: Tue, 27 Jan 2026 15:44:25 +0100 Subject: [PATCH 10/13] public-web-static: to not log ip addresses just disable the access_log --- config/hosts/public-web-static/nginx.nix | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/config/hosts/public-web-static/nginx.nix b/config/hosts/public-web-static/nginx.nix index 9d0e173..b69e60b 100644 --- a/config/hosts/public-web-static/nginx.nix +++ b/config/hosts/public-web-static/nginx.nix @@ -1,7 +1,12 @@ { ... }: { - services.nginx.enable = true; + services.nginx = { + enable = true; + appendHttpConfig = '' + access_log off; + ''; + }; networking.firewall.allowedTCPPorts = [ 8443 31820 ]; networking.firewall.allowedUDPPorts = [ 8443 ]; From 175df869287e0673cac44d98cf8fbf6aa7e3438d Mon Sep 17 00:00:00 2001 From: June Date: Tue, 27 Jan 2026 15:47:14 +0100 Subject: [PATCH 11/13] public-web-static: make hamburg.ccc.de the default server --- config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix index 8277b5f..1c967c9 100644 --- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix @@ -17,6 +17,7 @@ "hamburg.ccc.de" = { forceSSL = true; useACMEHost = "hamburg.ccc.de"; + default = true; listen = [ { From 213707b31080287d0dc5517897b777dcc062a701 Mon Sep 17 00:00:00 2001 From: June Date: Wed, 28 Jan 2026 15:31:31 +0100 Subject: [PATCH 12/13] public-web-static: remove cpuccc.hamburg.ccc.de alias --- config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix index a6c67f8..d2e779a 100644 --- a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix @@ -7,7 +7,6 @@ let in { security.acme.certs."cpu.ccc.de".extraDomainNames = [ - "cpuccc.hamburg.ccc.de" "lokal.ccc.de" "local.ccc.de" ]; @@ -75,11 +74,10 @@ in }; }; - "cpuccc.hamburg.ccc.de" = { + "lokal.ccc.de" = { forceSSL = true; useACMEHost = "cpu.ccc.de"; serverAliases = [ - "lokal.ccc.de" "local.ccc.de" ]; From ebb0cea592d7def9833c9a6c979033ca4132c8cf Mon Sep 17 00:00:00 2001 From: June Date: Sun, 1 Feb 2026 21:06:33 +0100 Subject: [PATCH 13/13] public-web-static: make www.c3cat.de actually work --- config/hosts/public-web-static/virtualHosts/c3cat.de.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix index ff59fab..95f9b59 100644 --- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix +++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix @@ -23,7 +23,7 @@ in { ]; }; - "$www.${domain}" = { + "www.${domain}" = { forceSSL = true; useACMEHost = "${domain}";