From a8229bfd0dff789ead94036c49f3338683e74f2e Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Wed, 18 Feb 2026 14:11:30 +0100
Subject: [PATCH] configure specific diday website requirements

---
 config/hosts/public-web-static/nginx.nix      |  5 ++
 .../virtualHosts/did.hamburg.ccc.de.nix       | 55 +++++++++++++++++++
 2 files changed, 60 insertions(+)

diff --git a/config/hosts/public-web-static/nginx.nix b/config/hosts/public-web-static/nginx.nix
index b69e60b..7568ce4 100644
--- a/config/hosts/public-web-static/nginx.nix
+++ b/config/hosts/public-web-static/nginx.nix
@@ -5,6 +5,11 @@
     enable = true;
     appendHttpConfig = ''
       access_log off;
+
+      # load the DI-Day redirect map from the webroot
+      map $request_uri $did_redirect_target {
+        include /var/www/did.hamburg.ccc.de/nginx-redirects.conf;
+      }
     '';
   };
 
diff --git a/config/hosts/public-web-static/virtualHosts/did.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/did.hamburg.ccc.de.nix
index 923053e..6a89a22 100644
--- a/config/hosts/public-web-static/virtualHosts/did.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/did.hamburg.ccc.de.nix
@@ -49,6 +49,61 @@ in
         error_page 404 /404.html;
 
         port_in_redirect off;
+
+        index index.html;
+
+        add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+        # return a redirect based on the map loaded from the webroot
+        if ($did_redirect_target ~ ^301:(.*)$) {
+          return 301 $1;
+        }
+        if ($did_redirect_target ~ ^302:(.*)$) {
+          return 302 $1;
+        }
+
+        # deny access to the redirects config file
+        location = /nginx-redirects.conf {
+          deny all;
+          return 404;
+        }
+
+        # dynamically redirect the user to the language they prefer
+        location = / {
+          set $lang "de";
+          if ($http_accept_language ~* "^en") {
+            set $lang "en";
+          }
+          return 302 /$lang/;
+        }
+
+        # configure decap-cms content-type and caching rules
+        location = /admin/cms.js {
+          expires -1;
+          add_header Cache-Control "no-store";
+        }
+        location = /admin/config.yml {
+          expires -1;
+          add_header Cache-Control "no-store";
+          types { }
+          default_type text/yaml;
+        }
+
+        # configure asset caching
+        location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
+            expires 1y;
+            add_header Cache-Control "public, immutable";
+        }
+
+        # we are using the Astro Image Pipeline, therefore DecapCMS can't access image previews
+        location /admin/src/ {
+            log_not_found off;
+            return 404;
+        }
+
+        location / {
+          try_files $uri $uri/ =404;
+        }
       '';
     };
   };