wurzel/fruitbasket
10
1
Fork 1
Code Issues 5 Pull requests Projects Releases Packages Wiki Activity

Add new ifsr website (still in testing)

Browse source
This commit is contained in:
Frieder Hannenheim 2025-05-21 16:56:52 +02:00
parent 4941567bb9
commit a6e807a5da
3 changed files with 53 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

3
modules/forgejo/default.nix
View file

@ -73,6 +73,9 @@ in
actions.ENABLED = true; actions.ENABLED = true;
# federation.ENABLED = true; # federation.ENABLED = true;
webhook.ALLOWED_HOST_LIST = "*.ifsr.de"; webhook.ALLOWED_HOST_LIST = "*.ifsr.de";
cors = {
ENABLED = true;
};
}; };
}; };

1
modules/web/default.nix
View file

@ -1,6 +1,7 @@
{ ... }: { ... }:
{ {
imports = [ imports = [
./ifsrdenew.nix
./ifsrde.nix ./ifsrde.nix
./ese.nix ./ese.nix
./infoscreen.nix ./infoscreen.nix

49
modules/web/ifsrdenew.nix Normal file
View file

@ -0,0 +1,49 @@
{ config, pkgs, lib, ... }:
let
user = "fsr-web";
group = "fsr-web";
webRoot = "/srv/web/ifsrdenew";
in
{
users.users.${user} = {
group = group;
isSystemUser = true;
};
users.groups.${group} = { };
users.users.nginx = {
extraGroups = [ group ];
};
services.nginx = {
virtualHosts."test.${config.networking.domain}" = {
root = webRoot;
locations = {
"/" = {
tryFiles = "$uri $uri/ =404";
};
"~ ^/cmd(/?[^\\n|\\r]*)$".return = "301 https://pad.ifsr.de$1";
"/bbb".return = "301 https://bbb.tu-dresden.de/b/fsr-58o-tmf-yy6";
"/kpp".return = "301 https://kpp.ifsr.de";
"/mese".return = "301 https://ifsr.de/news/mese-and-welcome-back";
"/sso".return = "301 https://sso.ifsr.de/realms/internal/account";
# security
"~* /(\.git|cache|bin|logs|backup|tests)/.*$".return = "403";
# deny running scripts inside core system folders
"~* /(system|vendor)/.*\.(txt|xml|md|html|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$".return = "403";
# deny running scripts inside user folder
"~* /user/.*\.(txt|md|json|yaml|yml|php|pl|py|cgi|twig|sh|bat)$".return = "403";
# deny access to specific files in the root folder
"~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess)".return = "403";
## End - Security
};
};
};
users.users."ese-deploy" = {
isNormalUser = true;
openssh.authorizedKeys.keys = [
''command="${pkgs.rrsync}/bin/rrsync ${webRoot}",restrict ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFRIojP9vBbxy0fCEJFMNKXgkTA7Sju9mn+i01mYzovU''
];
};
}