migrate www config

2026-02-13 21:50:26 +01:00 · 2026-02-13 21:50:26 +01:00 · bfd37e1389
commit bfd37e1389
parent 3f072e5ecf
5 changed files with 99 additions and 11 deletions
--- a/hosts/www/nginx.nix
+++ b/hosts/www/nginx.nix
@ -4,17 +4,72 @@ let
  # TODO: mkVHost
 in
 {
-  services.nginx.virtualHosts."www.${config.networking.domain}" = {
-    default = true;
-    serverAliases = [config.networking.domain];
-    quic = true;
-    kTLS = true;
-    forceSSL = true;
-    enableACME = true;
-    locations."/" = {
-      root = "/srv/http/www";
-      index = "index.html";
-      tryFiles = "$uri $uri/ $uri.html =404";
+  services.nginx.virtualHosts = {
+    "www.${config.networking.domain}" = {
+      default = true;
+      serverAliases = [config.networking.domain];
+      quic = true;
+      kTLS = true;
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
+        add_header Strict-Transport-Security max-age=15768000;
+      '';
+      locations = {
+        "/" = {
+          root = "/srv/http/www";
+          index = "index.html";
+          tryFiles = "$uri $uri/ $uri.html =404";
+        };
+        # RFC8805
+        "/noc" = {
+          root = "/srv/http/noc";
+        };
+        # RFC8805 new location
+        ".well-known/loc" = {
+          root = "/srv/http/noc";
+        };
+        "/twentyyears" = {
+          alias = "/srv/http/twentyyears";
+        };
+        "/.well-known/matrix/client" = {
+          return = "200 '{\"m.homeserver\":{\"base_url\":\"https://matrix.berlin.ccc.de\"}}'";
+          extraConfig = ''
+            add_header Access-Control-Allow-Origin "*";
+            default_type application/json;
+          '';
+        };
+        "/.well-known/matrix/server" = {
+          return = "200 '{\"m.server\":\"matrix.berlin.ccc.de:443\"}'";
+          extraConfig = ''
+            add_header Access-Control-Allow-Origin "*";
+            default_type application/json;
+          '';
+        };
+        "~ ^/~(.+?)$" = {
+          alias = "/srv/http/homes/$1";
+          extraConfig = ''
+            autoindex on;
+          '';
+        };
+      };
+    };
+    "staging.${config.networking.domain}" = {
+      default = true;
+      quic = true;
+      kTLS = true;
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        basicAuthFile = config.age.secrets.www-staging-htpasswd.path;
+        extraConfig = ''
+          auth_basic "Restricted Content";
+        '';
+        root = "/srv/http/www-staging";
+        index = "index.html";
+        tryFiles = "$uri $uri/ $uri.html =404";
+      };
    };
  };
 }
--- a/hosts/www/openssh.nix
+++ b/hosts/www/openssh.nix
@ -11,7 +11,9 @@
        pkgs.rsync
      ];
      openssh.authorizedKeys.keys = [
+        "command='rsync --server --daemon . /srv/http/',restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEUVX7gs6mqubYsJhi65gvWq4rvA2CtZJFneVRKQHIBs root@www.berlin.ccc.de"
        "command='rsync --server --daemon . /srv/http/www/',restrict ssh-ed25519 AAAAB3NzaC1yc2EAAAADAQABAAABAQCy... git.berlin.ccc.de/cccb/www"
+        "command='rsync --server --daemon . /srv/http/www-staging/',restrict ssh-ed25519 AAAAB3NzaC1yc2EAAAADAQABAAABAQCy... git.berlin.ccc.de/cccb/www"
      ];
      #extraGroups = ["nginx"];
    };