deploy diday.org site

2026-02-27 21:04:40 +01:00 · 2026-02-27 21:04:40 +01:00 · bbfe9eba6f
commit bbfe9eba6f
parent 99efc60fce
6 changed files with 72 additions and 64 deletions
--- a/config/hosts/public-web-static/virtualHosts/default.nix
+++ b/config/hosts/public-web-static/virtualHosts/default.nix
@ -18,8 +18,8 @@
    ./staging.hackertours.hamburg.ccc.de.nix
    ./staging.hamburg.ccc.de.nix
    ./www.hamburg.ccc.de.nix
-    ./staging.did.hamburg.ccc.de.nix
    ./diday.org.nix
+    ./staging.diday.org.nix
    ./historic-easterhegg
  ];
 }
--- a/config/hosts/public-web-static/virtualHosts/diday.org.nix
+++ b/config/hosts/public-web-static/virtualHosts/diday.org.nix
@ -36,6 +36,10 @@ in
        }
      ];

+      basicAuth = {
+        "preview" = "liebe";
+      };
+
      extraConfig = ''
        return 301 https://diday.org;
      '';
@ -54,6 +58,10 @@ in
        }
      ];

+      basicAuth = {
+        "preview" = "liebe";
+      };
+
      root = "${dataDir}";

      extraConfig = ''
--- a/config/hosts/public-web-static/virtualHosts/staging.did.hamburg.ccc.de.nix
+++ b/config/hosts/public-web-static/virtualHosts/staging.did.hamburg.ccc.de.nix
@ -1,29 +1,23 @@
-{ ... }:
+{ config, ... }:

 let
-  domain = "staging.did.hamburg.ccc.de";
+  domain = "staging.diday.org";
  dataDir = "/var/www/${domain}";
  deployUser = "diday-website-deploy";
 in
 {
-  # security.acme.certs."${domain}".extraDomainNames = [];
+  security.acme.certs."${domain}" = {
+    domain = "*.diday.org";
+    group = "nginx";
+    server = "https://acme-staging-v02.api.letsencrypt.org/directory";
+    dnsProvider = "desec";
+    environmentFile = config.sops.secrets."staging.diday.org/lego.env".path;
+  };

  services.nginx.virtualHosts = {
-    "acme-${domain}" = {
-      enableACME = true;
-      serverName = "${domain}";
-
-      listen = [
-        {
-          addr = "0.0.0.0";
-          port = 31820;
-        }
-      ];
-    };
-
    "${domain}" = {
-      forceSSL = true;
      useACMEHost = "${domain}";
+      forceSSL = true;

      listen = [
        {
@ -34,7 +28,9 @@ in
        }
      ];

-      root = "${dataDir}";
+      basicAuth = {
+        "preview" = "liebe";
+      };

      extraConfig = ''
        # Make use of the ngx_http_realip_module to set the $remote_addr and
@ -56,4 +52,6 @@ in
  systemd.tmpfiles.rules = [
    "d ${dataDir} 0755 ${deployUser} ${deployUser}"
  ];
+
+  sops.secrets."staging.diday.org/lego.env" = {};
 }