From 41dc9c8529a3ec2c768afa0754a5bf819a33a6d7 Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Tue, 24 Feb 2026 17:01:25 +0100
Subject: [PATCH] configure www2 nginx

---
 inventories/chaosknoten/host_vars/www2.yaml   |  5 ++
 .../chaosknoten/www2/nginx/diday.org.conf     | 80 +++++++++++++++++++
 2 files changed, 85 insertions(+)
 create mode 100644 inventories/chaosknoten/host_vars/www2.yaml
 create mode 100644 resources/chaosknoten/www2/nginx/diday.org.conf

diff --git a/inventories/chaosknoten/host_vars/www2.yaml b/inventories/chaosknoten/host_vars/www2.yaml
new file mode 100644
index 000000000..a8a9ce893
--- /dev/null
+++ b/inventories/chaosknoten/host_vars/www2.yaml
@@ -0,0 +1,5 @@
+nginx__version_spec: ""
+nginx__configurations:
+  - name: diday.org
+    content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/www2/nginx/diday.org.conf') }}"
+
diff --git a/resources/chaosknoten/www2/nginx/diday.org.conf b/resources/chaosknoten/www2/nginx/diday.org.conf
new file mode 100644
index 000000000..8cc655cd6
--- /dev/null
+++ b/resources/chaosknoten/www2/nginx/diday.org.conf
@@ -0,0 +1,80 @@
+server {
+    listen 443 ssl;
+    listen [::]:443 ssl;
+    http2 on;
+
+    server_name diday.org;
+
+    # use our router as resolver
+    resolver 10.31.208.1;
+
+    # configure the ngx_http_realip_module to set $remote_addr and $remote_port to the
+    # information passed through from public-reverse-proxy.hamburg.ccc.de via proxy-protocol
+    set_real_ip_from 2a00:14b0:4200:3000:125::1;
+    real_ip_header proxy_protocol;
+
+    # configure tls trustchain
+    ssl_certificate /dev/null;
+    ssl_certificate_key /dev/null;
+    ssl_trusted_certificate /dev/null;
+
+    #
+    # configure site
+    #
+    root /var/www/diday.org;
+    error_page 404 /404.html;
+    index index.html;
+    add_header Referrer-Policy "strict-origin-when-cross-origin" always;
+
+    # return a redirect based on the map loaded from the webroot
+    if ($did_redirect_target ~ ^301:(.*)$) {
+      return 301 $1;
+    }
+    if ($did_redirect_target ~ ^302:(.*)$) {
+      return 302 $1;
+    }
+
+    # deny access to the redirects config file
+    location = /nginx-redirects.conf {
+      deny all;
+      return 404;
+    }
+
+    # dynamically redirect the user to the language they prefer
+    location = / {
+      set $lang "de";
+      if ($http_accept_language ~* "^en") {
+        set $lang "en";
+      }
+      return 302 /$lang/;
+    }
+
+    # configure decap-cms content-type and caching rules
+    location = /admin/cms.js {
+      expires -1;
+      add_header Cache-Control "no-store";
+    }
+    location = /admin/config.yml {
+      expires -1;
+      add_header Cache-Control "no-store";
+      types { }
+      default_type text/yaml;
+    }
+
+    # configure asset caching
+    location ~* \.(js|css|png|jpg|jpeg|gif|ico|svg|woff2?)$ {
+        expires 1y;
+        add_header Cache-Control "public, immutable";
+    }
+
+    # we are using the Astro Image Pipeline, therefore DecapCMS can't access image previews
+    location /admin/src/ {
+        log_not_found off;
+        return 404;
+    }
+
+    location / {
+      try_files $uri $uri/ =404;
+    }
+}
+