public-web-static: make www.c3cat.de actually work

public-web-static: remove cpuccc.hamburg.ccc.de alias
public-web-static: make hamburg.ccc.de the default server
2026-02-01 21:06:33 +01:00 · 2026-01-28 15:31:31 +01:00 · 2026-01-27 15:47:14 +01:00 · 2026-01-27 15:44:25 +01:00 · 2026-01-27 15:36:23 +01:00 · 2026-01-25 20:44:07 +01:00
22 changed files with 158 additions and 403 deletions
--- a/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix
+++ b/config/hosts/forgejo-actions-runner/forgejo-actions-runner.nix
@ -3,11 +3,11 @@
 # - https://forgejo.org/docs/latest/user/actions/
 # - https://docs.gitea.com/next/usage/actions/act-runner
-{ config, pkgs-unstable, ... }:
+{ config, pkgs, ... }:
 {
  services.gitea-actions-runner = {
-    package = pkgs-unstable.forgejo-actions-runner;
+    package = pkgs.forgejo-runner;
    instances.ccchh-forgejo-global-docker = {
      enable = true;
      name = "Global Docker Forgejo Actions Runner";
--- a/config/hosts/hydra/configuration.nix
+++ b/config/hosts/hydra/configuration.nix
@ -1,9 +0,0 @@
 { ... }:
 {
  networking = {
    hostName = "hydra";
  };
  system.stateVersion = "24.05";
 }
--- a/config/hosts/hydra/default.nix
+++ b/config/hosts/hydra/default.nix
@ -1,11 +0,0 @@
 { ... }:
 {
  imports = [
    ./configuration.nix
    ./hydra.nix
    ./networking.nix
    ./nginx.nix
    ./nix.nix
  ];
 }
--- a/config/hosts/hydra/hydra.nix
+++ b/config/hosts/hydra/hydra.nix
@ -1,15 +0,0 @@
 { ... }:
 {
  services.hydra = {
    enable = true;
    listenHost = "localhost";
    port = 3000;
    hydraURL = "https://hydra.hamburg.ccc.de/";
    # E-Mail configuration requires some work/investigation still.
    notificationSender = "no-reply@hydra.hamburg.ccc.de";
    useSubstitutes = true;
    minimumDiskFree = 8;
    minimumDiskFreeEvaluator = 2;
  };
 }
--- a/config/hosts/hydra/networking.nix
+++ b/config/hosts/hydra/networking.nix
@ -1,22 +0,0 @@
 { ... }:
 {
  networking = {
    interfaces.net0 = {
      ipv4.addresses = [
        {
          address = "172.31.17.163";
          prefixLength = 25;
        }
      ];
    };
    defaultGateway = "172.31.17.129";
    nameservers = [ "212.12.50.158" "192.76.134.90" ];
    search = [ "hamburg.ccc.de" ];
  };
  systemd.network.links."10-net0" = {
    matchConfig.MACAddress = "BC:24:11:45:7C:D6";
    linkConfig.Name = "net0";
  };
 }
--- a/config/hosts/hydra/nginx.nix
+++ b/config/hosts/hydra/nginx.nix
@ -1,58 +0,0 @@
 { config, pkgs, ... }:
 let
  domain = "hydra.hamburg.ccc.de";
 in
 {
  services.nginx = {
    enable = true;
    virtualHosts = {
      "acme-${domain}" = {
        default = true;
        enableACME = true;
        serverName = "${domain}";
        listen = [
          {
            addr = "0.0.0.0";
            port = 31820;
          }
        ];
      };
      "${domain}" = {
        default = true;
        forceSSL = true;
        useACMEHost = "${domain}";
        listen = [
          {
            addr = "0.0.0.0";
            port = 8443;
            ssl = true;
            proxyProtocol = true;
          }
        ];
        locations."/" = {
          proxyPass = "http://${config.services.hydra.listenHost}:${builtins.toString config.services.hydra.port}";
        };
        extraConfig = ''
          # Make use of the ngx_http_realip_module to set the $remote_addr and
          # $remote_port to the client address and client port, when using proxy
          # protocol.
          # First set our proxy protocol proxy as trusted.
          set_real_ip_from 172.31.17.140;
          # Then tell the realip_module to get the addreses from the proxy protocol
          # header.
          real_ip_header proxy_protocol;
        '';
      };
    };
  };
  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
  networking.firewall.allowedUDPPorts = [ 8443 ];
 }
--- a/config/hosts/hydra/nix.nix
+++ b/config/hosts/hydra/nix.nix
@ -1,10 +0,0 @@
 { ... }:
 {
  # Allow Hydra to fetch flake inputs.
  nix.settings.allowed-uris = [
    "github:"
    "https://github.com/"
    "https://git.hamburg.ccc.de/"
  ];
 }
--- a/config/hosts/mjolnir/networking.nix
+++ b/config/hosts/mjolnir/networking.nix
@ -1,18 +1,24 @@
 { ... }:
 {
-  networking = {
+  networking.useDHCP = false;
-    interfaces.net0 = {
+
-      ipv4.addresses = [
+  services.cloud-init = {
-        {
+    enable = true;
-          address = "172.31.17.161";
+    network.enable = true;
-          prefixLength = 25;
+
-        }
+    # Version without ssh of:
    # https://github.com/NixOS/nixpkgs/blob/3c9db02515ef1d9b6b709fc60ba9a540957f661c/nixos/modules/services/system/cloud-init.nix#L145
    # So we don't get ssh hostkey regenerations.
    settings.cloud_config_modules = [
        "disk_setup"
        "mounts"
        "ssh-import-id"
        "set-passwords"
        "timezone"
        "disable-ec2-metadata"
        "runcmd"
      ];
    };
    defaultGateway = "172.31.17.129";
    nameservers = [ "212.12.50.158" "192.76.134.90" ];
    search = [ "hamburg.ccc.de" ];
  };
  systemd.network.links."10-net0" = {
--- a/config/hosts/public-reverse-proxy/nginx.nix
+++ b/config/hosts/public-reverse-proxy/nginx.nix
@ -6,22 +6,6 @@
 { config, pkgs, ... }:
 {
  services.nginx.streamConfig = ''
    map $ssl_preread_server_name $address {
        status.ccchh.net 10.31.206.15:8443;
        status.hamburg.ccc.de 10.31.206.15:8443;
    }
    # Listen on port 443 as a reverse proxy and use PROXY Protocol for the
    # upstreams.
    server {
        listen 0.0.0.0:443;
        proxy_pass $address;
        ssl_preread on;
        proxy_protocol on;
    }
  '';
  services.nginx.appendHttpConfig = ''
    map $host $upstream_acme_challenge_host {
        club-assistant.ccchh.net 10.31.208.10;
@ -35,7 +19,6 @@
        zigbee2mqtt.ccchh.net 10.31.208.25:31820;
        esphome.ccchh.net 10.31.208.24:31820;
        proxmox-backup-server.ccchh.net 10.31.208.28;
        status.ccchh.net 10.31.206.15:31820;
        default "";
    }
  '';
--- a/config/hosts/public-web-static/nginx.nix
+++ b/config/hosts/public-web-static/nginx.nix
@ -1,7 +1,12 @@
 { ... }:
 {
-  services.nginx.enable = true;
+  services.nginx = {
    enable = true;
    appendHttpConfig = ''
      access_log off;
    '';
  };
  networking.firewall.allowedTCPPorts = [ 8443 31820 ];
  networking.firewall.allowedUDPPorts = [ 8443 ];
--- a/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/c3cat.de.nix
@ -23,7 +23,7 @@ in {
      ];
    };
-    "$www.${domain}" = {
+    "www.${domain}" = {
      forceSSL = true;
      useACMEHost = "${domain}";
--- a/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/cpu.ccc.de.nix
@ -0,0 +1,118 @@
 { ... }:
 let
  domain = "cpu.ccc.de";
  dataDir = "/var/www/${domain}";
  deployUser = "cpuccc-website-deploy";
 in
 {
  security.acme.certs."cpu.ccc.de".extraDomainNames = [
    "lokal.ccc.de"
    "local.ccc.de"
  ];
  services.nginx.virtualHosts = {
    "acme-${domain}" = {
      enableACME = true;
      serverName = "${domain}";
      listen = [
        {
          addr = "0.0.0.0";
          port = 31820;
        }
      ];
    };
    # https://git.hamburg.ccc.de/CCCHH/cpu.ccc.de/src/branch/main/nginx.conf
    "${domain}" = {
      forceSSL = true;
      useACMEHost = "${domain}";
      listen = [
        {
          addr = "0.0.0.0";
          port = 8443;
          ssl = true;
          proxyProtocol = true;
        }
      ];
      root = "${dataDir}";
      extraConfig = ''
        index index.html;
        default_type text/plain;
        # Make use of the ngx_http_realip_module to set the $remote_addr and
        # $remote_port to the client address and client port, when using proxy
        # protocol.
        # First set our proxy protocol proxy as trusted.
        set_real_ip_from 172.31.17.140;
        # Then tell the realip_module to get the addreses from the proxy protocol
        # header.
        real_ip_header proxy_protocol;
        port_in_redirect off;
      '';
      locations."/" = {
        tryFiles = "$uri $uri/ =404";
        extraConfig = ''
          location /feed/ {
            default_type application/rss+xml;
            types {
              text/xml application/rss+xml;
            }
          }
          location /rss {
            default_type application/rss+xml;
          }
        '';
      };
    };
    "lokal.ccc.de" = {
      forceSSL = true;
      useACMEHost = "cpu.ccc.de";
      serverAliases = [
        "local.ccc.de"
      ];
      listen = [{
        addr = "0.0.0.0";
        port = 8443;
        ssl = true;
        proxyProtocol = true;
      }];
      locations."/".return = "302 https://cpu.ccc.de";
      extraConfig = ''
        # Make use of the ngx_http_realip_module to set the $remote_addr and
        # $remote_port to the client address and client port, when using proxy
        # protocol.
        # First set our proxy protocol proxy as trusted.
        set_real_ip_from 172.31.17.140;
        # Then tell the realip_module to get the addreses from the proxy protocol
        # header.
        real_ip_header proxy_protocol;
      '';
    };
  };
  systemd.tmpfiles.rules = [
    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
  ];
  users.users."${deployUser}" = {
    isNormalUser = true;
    group = "${deployUser}";
    openssh.authorizedKeys.keys = [
      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOnO7g/7mVVKnvkszto8m3nPljO/6qQc/34aEbrhKOvn deploy key for cpu.ccc.de"
    ];
  };
  users.groups."${deployUser}" = { };
 }
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@ -4,6 +4,7 @@
  imports = [
    ./branding-resources.hamburg.ccc.de.nix
    ./c3cat.de.nix
    ./cpu.ccc.de.nix
    ./cryptoparty-hamburg.de.nix
    ./element-admin.hamburg.ccc.de.nix
    ./element.hamburg.ccc.de.nix
--- a/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/hamburg.ccc.de.nix
@ -17,6 +17,7 @@
    "hamburg.ccc.de" = {
      forceSSL = true;
      useACMEHost = "hamburg.ccc.de";
      default = true;
      listen = [
        {
--- a/config/hosts/status/configuration.nix
+++ b/config/hosts/status/configuration.nix
@ -1,10 +0,0 @@
 { ... }:
 {
  networking = {
    hostName = "status";
    domain = "z9.ccchh.net";
  };
  system.stateVersion = "24.05";
 }
--- a/config/hosts/status/default.nix
+++ b/config/hosts/status/default.nix
@ -1,10 +0,0 @@
 { ... }:
 {
  imports = [
    ./configuration.nix
    ./networking.nix
    ./nginx.nix
    ./uptime-kuma.nix
  ];
 }
--- a/config/hosts/status/networking.nix
+++ b/config/hosts/status/networking.nix
@ -1,29 +0,0 @@
 { ... }:
 {
  networking = {
    interfaces.net0 = {
      ipv4.addresses = [
        {
          address = "10.31.206.15";
          prefixLength = 23;
        }
      ];
      ipv6.addresses = [
        {
          address = "2a07:c481:1:ce::a";
          prefixLength = 64;
        }
      ];
    };
    defaultGateway = "10.31.206.1";
    defaultGateway6 = "2a07:c481:1:ce::1";
    nameservers = [ "10.31.206.1" "2a07:c481:1:ce::1" ];
    search = [ "z9.ccchh.net" ];
  };
  systemd.network.links."10-net0" = {
    matchConfig.MACAddress = "BC:24:11:79:D3:E1";
    linkConfig.Name = "net0";
  };
 }
--- a/config/hosts/status/nginx.nix
+++ b/config/hosts/status/nginx.nix
@ -1,149 +0,0 @@
 # Sources for this configuration:
 # - https://github.com/louislam/uptime-kuma/wiki/Reverse-Proxy
 { config, ... }:
 {
  services.nginx = {
    enable = true;
    virtualHosts = {
      "status.hamburg.ccc.de" = {
        forceSSL = true;
        enableACME = true;
        serverName = "status.hamburg.ccc.de";
        listen = [
          {
            addr = "[::]";
            port = 80;
          }
          {
            addr = "[::]";
            port = 443;
            ssl = true;
          }
        ];
        locations."/" = {
          proxyPass = "http://localhost:3001";
          proxyWebsockets = true;
        };
      };
      "status-proxyprotocol.hamburg.ccc.de" = {
        forceSSL = true;
        useACMEHost = "status.hamburg.ccc.de";
        serverName = "status.hamburg.ccc.de";
        listen = [
          {
            addr = "0.0.0.0";
            port = 8443;
            ssl = true;
            proxyProtocol = true;
          }
        ];
        locations."/" = {
          proxyPass = "http://localhost:3001";
          proxyWebsockets = true;
        };
        extraConfig = ''
          # Make use of the ngx_http_realip_module to set the $remote_addr and
          # $remote_port to the client address and client port, when using proxy
          # protocol.
          # First set our proxy protocol proxy as trusted.
          set_real_ip_from 10.31.206.11;
          # Then tell the realip_module to get the addreses from the proxy protocol
          # header.
          real_ip_header proxy_protocol;
        '';
      };
      "status.ccchh.net" = {
        forceSSL = true;
        useACMEHost = "status.hamburg.ccc.de";
        serverName = "status.ccchh.net";
        listen = [
          {
            addr = "[::]";
            port = 80;
          }
          {
            addr = "[::]";
            port = 443;
            ssl = true;
          }
        ];
        globalRedirect = "status.hamburg.ccc.de";
        redirectCode = 307;
      };
      "status-proxyprotocol.ccchh.net" = {
        forceSSL = true;
        useACMEHost = "status.hamburg.ccc.de";
        serverName = "status.ccchh.net";
        listen = [
          {
            addr = "0.0.0.0";
            port = 8443;
            ssl = true;
            proxyProtocol = true;
          }
        ];
        globalRedirect = "status.hamburg.ccc.de";
        redirectCode = 307;
        extraConfig = ''
          # Make use of the ngx_http_realip_module to set the $remote_addr and
          # $remote_port to the client address and client port, when using proxy
          # protocol.
          # First set our proxy protocol proxy as trusted.
          set_real_ip_from 10.31.206.11;
          # Then tell the realip_module to get the addreses from the proxy protocol
          # header.
          real_ip_header proxy_protocol;
        '';
      };
      "status.z9.ccchh.net" = {
        forceSSL = true;
        useACMEHost = "status.hamburg.ccc.de";
        serverName = "status.z9.ccchh.net";
        listen = [
          {
            addr = "0.0.0.0";
            port = 80;
          }
          {
            addr = "[::]";
            port = 80;
          }
          {
            addr = "0.0.0.0";
            port = 443;
            ssl = true;
          }
          {
            addr = "[::]";
            port = 443;
            ssl = true;
          }
        ];
        globalRedirect = "status.hamburg.ccc.de";
        redirectCode = 307;
      };
    };
  };
  security.acme.certs."status.hamburg.ccc.de".extraDomainNames = [
    "status.ccchh.net"
    "status.z9.ccchh.net"
  ];
  networking.firewall.allowedTCPPorts = [ 80 443 8443 ];
 }
--- a/config/hosts/status/uptime-kuma.nix
+++ b/config/hosts/status/uptime-kuma.nix
@ -1,7 +0,0 @@
 { ... }:
 {
  services.uptime-kuma = {
    enable = true;
  };
 }
--- a/deployment_configuration.json
+++ b/deployment_configuration.json
@ -16,16 +16,13 @@
      "targetHostname": "forgejo-actions-runner-intern.hamburg.ccc.de"
    },
    "mjolnir": {
-      "targetHostname": "mjolnir-intern.hamburg.ccc.de"
+      "targetHostname": "mjolnir.hosts.hamburg.ccc.de"
    },
    "woodpecker": {
      "targetHostname": "woodpecker-intern.hamburg.ccc.de"
    },
    "penpot": {
      "targetHostname": "penpot-intern.hamburg.ccc.de"
    },
    "hydra": {
      "targetHostname": "hydra-intern.hamburg.ccc.de"
    }
  }
 }
--- a/flake.lock
+++ b/flake.lock
@ -19,27 +19,27 @@
    },
    "nixpkgs": {
      "locked": {
-        "lastModified": 1761173472,
+        "lastModified": 1768621446,
-        "narHash": "sha256-m9W0dYXflzeGgKNravKJvTMR4Qqa2MVD11AwlGMufeE=",
+        "narHash": "sha256-6YwHV1cjv6arXdF/PQc365h1j+Qje3Pydk501Rm4Q+4=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "c8aa8cc00a5cb57fada0851a038d35c08a36a2bb",
+        "rev": "72ac591e737060deab2b86d6952babd1f896d7c5",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
-        "ref": "nixos-25.05",
+        "ref": "nixos-25.11",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-unstable": {
      "locked": {
-        "lastModified": 1761349956,
+        "lastModified": 1768661221,
-        "narHash": "sha256-tH3wHnOJms+U4k/rK2Nn1RfBrhffX92jLP/2VndSn0w=",
+        "narHash": "sha256-MJwOjrIISfOpdI9x4C+5WFQXvHtOuj5mqLZ4TMEtk1M=",
        "owner": "nixos",
        "repo": "nixpkgs",
-        "rev": "02f2cb8e0feb4596d20cc52fda73ccee960e3538",
+        "rev": "3327b113f2ef698d380df83fbccefad7e83d7769",
        "type": "github"
      },
      "original": {
@ -64,11 +64,11 @@
        ]
      },
      "locked": {
-        "lastModified": 1760998189,
+        "lastModified": 1768709255,
-        "narHash": "sha256-ee2e1/AeGL5X8oy/HXsZQvZnae6XfEVdstGopKucYLY=",
+        "narHash": "sha256-aigyBfxI20FRtqajVMYXHtj5gHXENY2gLAXEhfJ8/WM=",
        "owner": "Mic92",
        "repo": "sops-nix",
-        "rev": "5a7d18b5c55642df5c432aadb757140edfeb70b3",
+        "rev": "5e8fae80726b66e9fec023d21cd3b3e638597aa9",
        "type": "github"
      },
      "original": {
--- a/flake.nix
+++ b/flake.nix
@ -5,7 +5,7 @@
    # Use the NixOS small channels for nixpkgs.
    # https://nixos.org/manual/nixos/stable/#sec-upgrading
    # https://github.com/NixOS/nixpkgs
-    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.05";
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-25.11";
    nixpkgs-unstable.url = "github:nixos/nixpkgs/nixpkgs-unstable";
    # # Add nixos-generators as an input.
@ -147,7 +147,6 @@
          ];
          specialArgs = {
            inherit authorizedKeysRepo;
            inherit pkgs-unstable;
          };
        };
@ -201,16 +200,6 @@
          ];
        };
        status = nixpkgs.lib.nixosSystem {
          inherit system specialArgs;
          modules = [
            self.nixosModules.common
            self.nixosModules.proxmox-vm
            sops-nix.nixosModules.sops
            ./config/hosts/status
          ];
        };
        penpot = nixpkgs.lib.nixosSystem {
          inherit system specialArgs;
          modules = [
@ -221,16 +210,6 @@
            ./config/hosts/penpot
          ];
        };
        hydra = nixpkgs.lib.nixosSystem {
          inherit system specialArgs;
          modules = [
            self.nixosModules.common
            self.nixosModules.proxmox-vm
            self.nixosModules.prometheus-exporter
            ./config/hosts/hydra
          ];
        };
      };
      # packages.x86_64-linux = {
@ -259,10 +238,5 @@
      # };
      formatter.x86_64-linux = nixpkgs.legacyPackages.x86_64-linux.nixpkgs-fmt;
      hydraJobs = {
        inherit (self) packages;
        nixosConfigurations = builtins.mapAttrs (name: value: value.config.system.build.toplevel) self.nixosConfigurations;
      };
    };
 }
Author	SHA1	Message	Date
June	ebb0cea592	public-web-static: make www.c3cat.de actually work	2026-02-01 21:06:33 +01:00
June	213707b310	public-web-static: remove cpuccc.hamburg.ccc.de alias	2026-01-28 15:31:31 +01:00
June	175df86928	public-web-static: make hamburg.ccc.de the default server	2026-01-27 15:47:14 +01:00
June	62885a0095	public-web-static: to not log ip addresses just disable the access_log	2026-01-27 15:44:25 +01:00
June	193ccedbee	public-web-static: setup cpu.ccc.de with redirects from aliases	2026-01-27 15:36:23 +01:00
June	709afd0a1d	Add cpu.ccc.de to static web host (under cpuccc.hamburg.ccc.de for now)	2026-01-25 20:44:07 +01:00
June	827c469415	forgejo-actions-runner: forgejo-actions-runner is forgejo-runner now Also use package from stable instead of unstable.	2026-01-18 22:49:43 +01:00
June	30b6d54f95	Upgrade to NixOS 25.11 mjolnir seems to be broken.	2026-01-18 22:48:13 +01:00
June	0ea41b3141	remove more hydra-related config	2026-01-18 21:58:56 +01:00
June	e51e631918	flake.lock: Update Flake lock file updates: • Updated input 'nixpkgs': 'github:nixos/nixpkgs/c8aa8cc00a5cb57fada0851a038d35c08a36a2bb' (2025-10-22) → 'github:nixos/nixpkgs/ac62194c3917d5f474c1a844b6fd6da2db95077d' (2026-01-02) • Updated input 'nixpkgs-unstable': 'github:nixos/nixpkgs/02f2cb8e0feb4596d20cc52fda73ccee960e3538' (2025-10-24) → 'github:nixos/nixpkgs/3327b113f2ef698d380df83fbccefad7e83d7769' (2026-01-17) • Updated input 'sops-nix': 'github:Mic92/sops-nix/5a7d18b5c55642df5c432aadb757140edfeb70b3' (2025-10-20) → 'github:Mic92/sops-nix/5e8fae80726b66e9fec023d21cd3b3e638597aa9' (2026-01-18)	2026-01-18 21:45:50 +01:00
June	28d82f149d	status: remove status as it got replaced by a ansible-managed Gatus	2026-01-18 21:09:15 +01:00
June	79952f8c63	hydra: remove hydra as its being decommissioned nix-infra is built back in general, so remove hydra as well.	2026-01-17 22:06:24 +01:00
June	c9e27a5bb6	mjolnir: use cloud-init for network configuration and move to new net. Switch to cloud-init to align with the Ansible infra. Also move to new network and hostname.	2026-01-07 19:20:50 +01:00