Add next.hamburg.ccc.de virtualHost config for hosting the new website

In the future next.hamburg.ccc.de might also be used for hosting website
builds of branches or MRs.

config/hosts/public-web-static/virtualHosts/default.nix

@@ -4,5 +4,6 @@
   imports = [
     ./branding-resources.hamburg.ccc.de.nix
     ./element.hamburg.ccc.de.nix
+    ./next.hamburg.ccc.de.nix
   ];
 }

config/hosts/public-web-static/virtualHosts/next.hamburg.ccc.de.nix

@@ -0,0 +1,53 @@
+{ pkgs, ... }:
+
+{
+  services.nginx.virtualHosts = {
+    "acme-next.hamburg.ccc.de" = {
+      enableACME = true;
+      serverName = "next.hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 31820;
+        }
+      ];
+    };
+
+    "next.hamburg.ccc.de" = {
+      forceSSL = true;
+      useACMEHost = "next.hamburg.ccc.de";
+
+      listen = [
+        {
+          addr = "0.0.0.0";
+          port = 8443;
+          ssl = true;
+          extraParameters = [ "proxy_protocol" ];
+        }
+      ];
+
+      root = "/var/www/next.hamburg.ccc.de/";
+
+      extraConfig = ''
+        # Make use of the ngx_http_realip_module to set the $remote_addr and
+        # $remote_port to the client address and client port, when using proxy
+        # protocol.
+        # First set our proxy protocol proxy as trusted.
+        set_real_ip_from 172.31.17.140;
+        # Then tell the realip_module to get the addreses from the proxy protocol
+        # header.
+        real_ip_header proxy_protocol;
+      '';
+    };
+  };
+
+  users.users.ccchh-website-deploy = {
+    isNormalUser = true;
+    group = "ccchh-website-deploy";
+    openssh.authorizedKeys.keys = [
+      "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILX847OMjYC+he1nbV37rrdCQVGINFY43CwLjZDM9iyb next.hamburg.ccc.de deployment key"
+    ];
+  };
+  users.groups.ccchh-website-deploy = { };
+}