From bfd37e13897b0c2c590b2ca5a3662a1b27d46193 Mon Sep 17 00:00:00 2001 From: "Ricardo (XenGi) Band" Date: Fri, 13 Feb 2026 21:50:26 +0100 Subject: [PATCH] migrate www config --- flake.nix | 12 +++++ hosts/www/nginx.nix | 77 +++++++++++++++++++++++++++----- hosts/www/openssh.nix | 2 + secrets/secrets.nix | 2 + secrets/www-staging-htpasswd.age | 17 +++++++ 5 files changed, 99 insertions(+), 11 deletions(-) create mode 100644 secrets/www-staging-htpasswd.age diff --git a/flake.nix b/flake.nix index ba15b80..93b8e34 100644 --- a/flake.nix +++ b/flake.nix @@ -108,6 +108,18 @@ #pkgs = import nixpkgs { inherit system; }; inherit system; modules = [ + agenix.nixosModules.default + { environment.systemPackages = [ (agenix.packages.${system}.default) ]; } + { + age.secrets = { + www-staging-htpasswd = { + file = ./secrets/www-staging-htpasswd.age; + owner = "nginx"; + group = "nginx"; + mode = "0440"; + }; + }; + } ./hosts/www ]; }; diff --git a/hosts/www/nginx.nix b/hosts/www/nginx.nix index 4aaa1e0..832244a 100644 --- a/hosts/www/nginx.nix +++ b/hosts/www/nginx.nix @@ -4,17 +4,72 @@ let # TODO: mkVHost in { - services.nginx.virtualHosts."www.${config.networking.domain}" = { - default = true; - serverAliases = [config.networking.domain]; - quic = true; - kTLS = true; - forceSSL = true; - enableACME = true; - locations."/" = { - root = "/srv/http/www"; - index = "index.html"; - tryFiles = "$uri $uri/ $uri.html =404"; + services.nginx.virtualHosts = { + "www.${config.networking.domain}" = { + default = true; + serverAliases = [config.networking.domain]; + quic = true; + kTLS = true; + forceSSL = true; + enableACME = true; + extraConfig = '' + # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) + add_header Strict-Transport-Security max-age=15768000; + ''; + locations = { + "/" = { + root = "/srv/http/www"; + index = "index.html"; + tryFiles = "$uri $uri/ $uri.html =404"; + }; + # RFC8805 + "/noc" = { + root = "/srv/http/noc"; + }; + # RFC8805 new location + ".well-known/loc" = { + root = "/srv/http/noc"; + }; + "/twentyyears" = { + alias = "/srv/http/twentyyears"; + }; + "/.well-known/matrix/client" = { + return = "200 '{\"m.homeserver\":{\"base_url\":\"https://matrix.berlin.ccc.de\"}}'"; + extraConfig = '' + add_header Access-Control-Allow-Origin "*"; + default_type application/json; + ''; + }; + "/.well-known/matrix/server" = { + return = "200 '{\"m.server\":\"matrix.berlin.ccc.de:443\"}'"; + extraConfig = '' + add_header Access-Control-Allow-Origin "*"; + default_type application/json; + ''; + }; + "~ ^/~(.+?)$" = { + alias = "/srv/http/homes/$1"; + extraConfig = '' + autoindex on; + ''; + }; + }; + }; + "staging.${config.networking.domain}" = { + default = true; + quic = true; + kTLS = true; + forceSSL = true; + enableACME = true; + locations."/" = { + basicAuthFile = config.age.secrets.www-staging-htpasswd.path; + extraConfig = '' + auth_basic "Restricted Content"; + ''; + root = "/srv/http/www-staging"; + index = "index.html"; + tryFiles = "$uri $uri/ $uri.html =404"; + }; }; }; } diff --git a/hosts/www/openssh.nix b/hosts/www/openssh.nix index c79d365..994cc9d 100644 --- a/hosts/www/openssh.nix +++ b/hosts/www/openssh.nix @@ -11,7 +11,9 @@ pkgs.rsync ]; openssh.authorizedKeys.keys = [ + "command='rsync --server --daemon . /srv/http/',restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEUVX7gs6mqubYsJhi65gvWq4rvA2CtZJFneVRKQHIBs root@www.berlin.ccc.de" "command='rsync --server --daemon . /srv/http/www/',restrict ssh-ed25519 AAAAB3NzaC1yc2EAAAADAQABAAABAQCy... git.berlin.ccc.de/cccb/www" + "command='rsync --server --daemon . /srv/http/www-staging/',restrict ssh-ed25519 AAAAB3NzaC1yc2EAAAADAQABAAABAQCy... git.berlin.ccc.de/cccb/www" ]; #extraGroups = ["nginx"]; }; diff --git a/secrets/secrets.nix b/secrets/secrets.nix index e8853ac..e21b110 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -17,6 +17,7 @@ let _matrix = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIApAkkhHLj918co/wUGuyW8WCPYHxsNM4uo32XDEu7VV root@matrix"; _md = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFdFkdEEDXo8+k5YZpI1O2GqZlxcpCDtxqVun35duITm root@md"; _sql = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPcSXjDSyVVVdJbpheOhT0fIuOGFk+jsHhjrAVnBNLQV root@sql"; + _www = "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAID4TJCMuJZn03soKuxxv6ywFKiXfhLf9Ab03fbMqNaBJ root@www"; in { "matrix_admin_password.age".publicKeys = users; @@ -29,5 +30,6 @@ in "grafana_secret_key.age".publicKeys = users ++ [ _matrix ]; "postgres-matrix-synapse.age".publicKeys = users ++ [ _sql _matrix ]; "postgres-hedgedoc.age".publicKeys = users ++ [ _sql _md ]; + "www-staging-htpasswd.age".publicKeys = users ++ [ _www ]; } diff --git a/secrets/www-staging-htpasswd.age b/secrets/www-staging-htpasswd.age new file mode 100644 index 0000000..e1ff52d --- /dev/null +++ b/secrets/www-staging-htpasswd.age @@ -0,0 +1,17 @@ +age-encryption.org/v1 +-> ssh-ed25519 uH+n1w Ar9bAfSRPMAeuc4p+b8cCL37M6SAsKwlzb4fHKHQXmo +RONTu2g+yMucqJSNZFbu0H4ZPy0eFzrTKk4SEr89KJA +-> ssh-ed25519 EvLbWw D7r46PZVYRk4uayNRpVSREqeqthRt6cLQCAQZxX07zY +de/675k60YL09QzxYHPaWXTTKubU9HWVtepd+RxdbCU +-> ssh-ed25519 dM+fLQ mCg1Amjge6dXCLtRXG4YpXAYxgmPm7IfI5FFpCxxvFs +rPW4AnuX0cnzwDeg6LAuVYtL3SoTa5iekfduZf7x0K8 +-> ssh-ed25519 jxWM2Q l4phZDe2q+W+50Yq112miS0CWV15islvyNcCMiMvdgA +zuHU+P2E8ZD5mks/OywGOggVfTuVwWJxCsdUdrFJ7WA +-> ssh-ed25519 /yCUCg dMyt09SuN7DJnThADJvCD6nUeTkja7U92VcWTM/YsBo +usI3AcP5YASWJvYRueoKfu7FAdK5wp+8sxVvbGWU3bE +-> ssh-ed25519 FGp51g oFgvDFMXOFH+W6+YXgn1UTomBdmUg5fBgvsKbU5S0k8 +eq0l/Gtb0bHxUKeIw7cA/vCiqt/YFmJh2yzwWfh05VI +-> ssh-ed25519 Iapucg DeK9BiclurPDW3ZVfFW1TCNWA5U6mS1dauuSlHMT3i0 +DtmHxzkTgkQb2K8pBq3sR1HIt6X1s7f7ZiWYf699Qxc +--- kob1NwoFTUA8433K4eXTmgWzgStvrfsGUi9mUd5qy9s +1P{&SIxuCNQQJ/`X@Ǽgʔ.s8C>-5߁; \ No newline at end of file