From bbfe9eba6f0d15ab75b7ee673043117e7620946b Mon Sep 17 00:00:00 2001 From: lilly Date: Fri, 27 Feb 2026 21:04:40 +0100 Subject: [PATCH] deploy diday.org site --- config/hosts/public-web-static/nginx.nix | 2 +- config/hosts/public-web-static/secrets.yaml | 8 +++-- .../virtualHosts/default.nix | 2 +- .../virtualHosts/diday.org.nix | 8 +++++ ...mburg.ccc.de.nix => staging.diday.org.nix} | 32 +++++++++---------- 5 files changed, 30 insertions(+), 22 deletions(-) rename config/hosts/public-web-static/virtualHosts/{staging.did.hamburg.ccc.de.nix => staging.diday.org.nix} (69%) diff --git a/config/hosts/public-web-static/nginx.nix b/config/hosts/public-web-static/nginx.nix index 7568ce4..2e94ebf 100644 --- a/config/hosts/public-web-static/nginx.nix +++ b/config/hosts/public-web-static/nginx.nix @@ -8,7 +8,7 @@ # load the DI-Day redirect map from the webroot map $request_uri $did_redirect_target { - include /var/www/did.hamburg.ccc.de/nginx-redirects.conf; + include /var/www/diday.org/nginx-redirects.conf; } ''; }; diff --git a/config/hosts/public-web-static/secrets.yaml b/config/hosts/public-web-static/secrets.yaml index 4840158..e8080d8 100644 --- a/config/hosts/public-web-static/secrets.yaml +++ b/config/hosts/public-web-static/secrets.yaml @@ -1,4 +1,6 @@ spaceapid_config_ccchh_credentials: ENC[AES256_GCM,data:5IClrKKMO/AztQuGabrnoRFItYNeEmVWGeafomVO94pL1RKzL1sCxBxnmzvJFPb/8Y+6FXMh+Mim4DP8B2RaJMLpmqCv+76N/5+527SZ6gn9i2Klg6q0kD9RzJv40qHq/NYLCa24tpcZDt7eB0EOgqLsKUmtX2LrQjjnN3NzjAevJGKQ5ypnb7xygjft2KrpvlR1hMnZ0XpSLDTNR1AmImxE24JtDaJKzwXbptr2IZvm1UFkNslxdqHPjN+N8+MSSLhqHy/FdcY2ADvsTX1jtjnjkb+9E30QOeCiFPKSmWtSGiQ9sPcQna1yr717Vk0EiNSAWDQ2fMZyJUgBXG6w3wiZbxfJmxvshLPs5KguF9NHER+Seps1QiE0p16c0IS/0Y24UYrK2GyUIcSReGufjxUFGTJHFSsNANac34H/RTs7BkoZ,iv:8WzTRaXVeH5GKmigMVTLVBnhy6nXZnTZHLAYHcqDs2s=,tag:jTdgz0gmruMWWDBQ3h70vw==,type:str] +staging.diday.org: + lego.env: ENC[AES256_GCM,data:PCah9T6gKMADx47bhT5fTcylnKjC8ZDjZl4E4FJRa1zUmihLe8hj65w=,iv:IrIgBPHvaQx2bjrUapzmcsMoQ+Md4edsJQmL+ykJddE=,tag:SV8igeQ2/o7V3oJUdYMc2Q==,type:str] sops: age: - recipient: age19h7xtfmt3py3ydgl8d8fgh8uakxqxjr74flrxev3pgmvvx94kvtq5d932d @@ -19,8 +21,8 @@ sops: ZE9rN3R4aHRXR0dBc2oxcEYrL1lxZncKuVocF84+ge1gyzfNjIxhwNgd8+kJIpxh yREbS2mrQ2zvSMtw9OoA0KJSpoHZfIiCwn2uYkQDPiGB/721JmA12Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-26T01:21:16Z" - mac: ENC[AES256_GCM,data:ENLJIlcUXLEt+vXp/F2YATUZrc9ZjaE4AWwvG280etdsufEw/vGAWBhG2KT+CkcZLaJ4ctVvNlJEqU/pRzae+m/43SV3GNAG+jjT2VmNm0NyNYN27bpsj4tq11D27LPn7CkfBUB0gnmGJXVKalxhFkHBf+eq3ted8dPIv9YNRt8=,iv:Yfz7scjN3qDY9lV1SYOqrejiEwf4dVSPJhiFRJyFPio=,tag:SOw4Nhx6wwYIisRJl0SSRA==,type:str] + lastmodified: "2026-02-27T19:45:05Z" + mac: ENC[AES256_GCM,data:7tjKwRlcOHEg+CU5BP20gzjLK2YFTDtoHmQlsQsiy4JjRNIeVDWtzTnwsMwQ9KuDaGaJqL8Tgmu7nUZyDPS44G58by19oLIRRFj1emaNUigJQGCqNM5zKA9wF7OZKpnK0y3adu7ydNrtoBvw//9vWPZ0WMUwJXHNsyKMOHs36Yo=,iv:kIaDPhrbDMogNAgOVYvyDeAgc/FmzwHANoB+O9WGuV0=,tag:J3jejVDNGLquiiBkNiHbtQ==,type:str] pgp: - created_at: "2026-02-17T22:22:02Z" enc: |- @@ -145,4 +147,4 @@ sops: -----END PGP MESSAGE----- fp: B71138A6A8964A3C3B8899857B4F70C356765BAB unencrypted_suffix: _unencrypted - version: 3.8.1 + version: 3.11.0 diff --git a/config/hosts/public-web-static/virtualHosts/default.nix b/config/hosts/public-web-static/virtualHosts/default.nix index 1ac82c3..11e9ea1 100644 --- a/config/hosts/public-web-static/virtualHosts/default.nix +++ b/config/hosts/public-web-static/virtualHosts/default.nix @@ -18,8 +18,8 @@ ./staging.hackertours.hamburg.ccc.de.nix ./staging.hamburg.ccc.de.nix ./www.hamburg.ccc.de.nix - ./staging.did.hamburg.ccc.de.nix ./diday.org.nix + ./staging.diday.org.nix ./historic-easterhegg ]; } diff --git a/config/hosts/public-web-static/virtualHosts/diday.org.nix b/config/hosts/public-web-static/virtualHosts/diday.org.nix index 9c908ac..547c797 100644 --- a/config/hosts/public-web-static/virtualHosts/diday.org.nix +++ b/config/hosts/public-web-static/virtualHosts/diday.org.nix @@ -36,6 +36,10 @@ in } ]; + basicAuth = { + "preview" = "liebe"; + }; + extraConfig = '' return 301 https://diday.org; ''; @@ -54,6 +58,10 @@ in } ]; + basicAuth = { + "preview" = "liebe"; + }; + root = "${dataDir}"; extraConfig = '' diff --git a/config/hosts/public-web-static/virtualHosts/staging.did.hamburg.ccc.de.nix b/config/hosts/public-web-static/virtualHosts/staging.diday.org.nix similarity index 69% rename from config/hosts/public-web-static/virtualHosts/staging.did.hamburg.ccc.de.nix rename to config/hosts/public-web-static/virtualHosts/staging.diday.org.nix index ad2b246..35a301d 100644 --- a/config/hosts/public-web-static/virtualHosts/staging.did.hamburg.ccc.de.nix +++ b/config/hosts/public-web-static/virtualHosts/staging.diday.org.nix @@ -1,29 +1,23 @@ -{ ... }: +{ config, ... }: let - domain = "staging.did.hamburg.ccc.de"; + domain = "staging.diday.org"; dataDir = "/var/www/${domain}"; deployUser = "diday-website-deploy"; in { - # security.acme.certs."${domain}".extraDomainNames = []; + security.acme.certs."${domain}" = { + domain = "*.diday.org"; + group = "nginx"; + server = "https://acme-staging-v02.api.letsencrypt.org/directory"; + dnsProvider = "desec"; + environmentFile = config.sops.secrets."staging.diday.org/lego.env".path; + }; services.nginx.virtualHosts = { - "acme-${domain}" = { - enableACME = true; - serverName = "${domain}"; - - listen = [ - { - addr = "0.0.0.0"; - port = 31820; - } - ]; - }; - "${domain}" = { - forceSSL = true; useACMEHost = "${domain}"; + forceSSL = true; listen = [ { @@ -34,7 +28,9 @@ in } ]; - root = "${dataDir}"; + basicAuth = { + "preview" = "liebe"; + }; extraConfig = '' # Make use of the ngx_http_realip_module to set the $remote_addr and @@ -56,4 +52,6 @@ in systemd.tmpfiles.rules = [ "d ${dataDir} 0755 ${deployUser} ${deployUser}" ]; + + sops.secrets."staging.diday.org/lego.env" = {}; }