From 1a9475ad7fee50fd7a787c413e40661352c6a28f Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sat, 31 May 2025 13:00:43 +0200
Subject: [PATCH 1/4] profiles/common-webserver: Migrate webserver config to
 profile

---
 configuration/common/default.nix      |  1 -
 configuration/common/web.nix          | 54 ---------------------
 profiles/common-webserver/default.nix | 70 +++++++++++++++++++++++++++
 profiles/common/default.nix           |  2 +
 profiles/default.nix                  |  1 +
 5 files changed, 73 insertions(+), 55 deletions(-)
 delete mode 100644 configuration/common/web.nix
 create mode 100644 profiles/common-webserver/default.nix

diff --git a/configuration/common/default.nix b/configuration/common/default.nix
index 3c07706..0c7b5c5 100644
--- a/configuration/common/default.nix
+++ b/configuration/common/default.nix
@@ -12,7 +12,6 @@
     ./ssh.nix
     ./systemd.nix
     ./user.nix
-    ./web.nix
   ];
 
   services.fstrim.enable = true;
diff --git a/configuration/common/web.nix b/configuration/common/web.nix
deleted file mode 100644
index f98065f..0000000
--- a/configuration/common/web.nix
+++ /dev/null
@@ -1,54 +0,0 @@
-{ ... }:
-
-{
-  services.nginx = {
-    enableReload = true;
-    recommendedGzipSettings = true;
-    recommendedOptimisation = true;
-    recommendedProxySettings = true;
-    recommendedTlsSettings = true;
-
-    commonHttpConfig = ''
-      server_names_hash_bucket_size 64;
-      charset utf-8;
-      types {
-        text/plain nix;
-      }
-      map $remote_addr $remote_addr_anon {
-        ~(?P<ip>\d+\.\d+\.\d+)\.          $ip.0;
-        ~(?P<ip>[^:]*:[^:]*(:[^:]*)?):    $ip::;
-        default                           ::;
-      }
-      log_format combined_anon '$remote_addr_anon - $remote_user [$time_local] '
-                               '"$request" $status $body_bytes_sent '
-                               '"$http_referer" "$http_user_agent"';
-      log_format vcombined_anon '$host: $remote_addr_anon - $remote_user [$time_local] '
-                                '"$request" $status $body_bytes_sent '
-                                '"$http_referer" "$http_user_agent"';
-      access_log /var/log/nginx/access.log vcombined_anon;
-    '';
-
-    virtualHosts = {
-      "default" = {
-        default = true;
-        rejectSSL = true;
-        locations."/" = {
-          return = ''200 "Some piece of infrastructure\n"'';
-          extraConfig = ''
-            types { } default_type "text/plain; charset=utf-8";
-          '';
-        };
-      };
-    };
-  };
-
-  services.logrotate.settings.nginx = {
-    frequency = "daily";
-    maxage = 14;
-  };
-
-  security.acme = {
-    defaults.email = "letsencrypt@clerie.de";
-    acceptTerms = true;
-  };
-}
diff --git a/profiles/common-webserver/default.nix b/profiles/common-webserver/default.nix
new file mode 100644
index 0000000..f64ac8e
--- /dev/null
+++ b/profiles/common-webserver/default.nix
@@ -0,0 +1,70 @@
+{ config, lib, ... }:
+
+with lib;
+
+let
+
+  cfg = config.profiles.clerie.common-webserver;
+
+in {
+
+  options.profiles.clerie.common-webserver = {
+    enable = mkEnableOption "Webserver profile";
+    httpDefaultVirtualHost = (mkEnableOption "Default Virtual Host") // {
+      default = true;
+    };
+  };
+
+  config = mkIf cfg.enable {
+    services.nginx = {
+      enableReload = true;
+      recommendedGzipSettings = true;
+      recommendedOptimisation = true;
+      recommendedProxySettings = true;
+      recommendedTlsSettings = true;
+
+      commonHttpConfig = ''
+        server_names_hash_bucket_size 64;
+        charset utf-8;
+        types {
+          text/plain nix;
+        }
+        map $remote_addr $remote_addr_anon {
+          ~(?P<ip>\d+\.\d+\.\d+)\.          $ip.0;
+          ~(?P<ip>[^:]*:[^:]*(:[^:]*)?):    $ip::;
+          default                           ::;
+        }
+        log_format combined_anon '$remote_addr_anon - $remote_user [$time_local] '
+                                 '"$request" $status $body_bytes_sent '
+                                 '"$http_referer" "$http_user_agent"';
+        log_format vcombined_anon '$host: $remote_addr_anon - $remote_user [$time_local] '
+                                  '"$request" $status $body_bytes_sent '
+                                  '"$http_referer" "$http_user_agent"';
+        access_log /var/log/nginx/access.log vcombined_anon;
+      '';
+
+      virtualHosts = mkIf cfg.httpDefaultVirtualHost {
+        "default" = {
+          default = true;
+          rejectSSL = true;
+          locations."/" = {
+            return = ''200 "Some piece of infrastructure\n"'';
+            extraConfig = ''
+              types { } default_type "text/plain; charset=utf-8";
+            '';
+          };
+        };
+      };
+    };
+
+    services.logrotate.settings.nginx = {
+      frequency = "daily";
+      maxage = 14;
+    };
+
+    security.acme = {
+      defaults.email = "letsencrypt@clerie.de";
+      acceptTerms = true;
+    };
+  };
+}
diff --git a/profiles/common/default.nix b/profiles/common/default.nix
index 186683c..f3ae5ba 100644
--- a/profiles/common/default.nix
+++ b/profiles/common/default.nix
@@ -14,5 +14,7 @@ with lib;
 
     profiles.clerie.common-networking.enable = mkDefault true;
 
+    profiles.clerie.common-webserver.enable = mkDefault true;
+
   };
 }
diff --git a/profiles/default.nix b/profiles/default.nix
index 9052485..7d0aa97 100644
--- a/profiles/default.nix
+++ b/profiles/default.nix
@@ -6,6 +6,7 @@
     ./common
     ./common-dns
     ./common-networking
+    ./common-webserver
     ./cybercluster-vm
     ./dn42-router
     ./fem-net

From 50ca6f03eed48435986e42a34f8603b754cf110b Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sat, 31 May 2025 13:02:18 +0200
Subject: [PATCH 2/4] hosts/porter: Proxy port 80 and 443 to baikonur

---
 hosts/porter/configuration.nix | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/hosts/porter/configuration.nix b/hosts/porter/configuration.nix
index 2e236c2..2c873a4 100644
--- a/hosts/porter/configuration.nix
+++ b/hosts/porter/configuration.nix
@@ -26,8 +26,18 @@
     ipv6AcceptRAConfig.DHCPv6Client = "no";
   };
 
+  profiles.clerie.common-webserver.httpDefaultVirtualHost = false;
+
   clerie.nginx-port-forward = {
     enable = true;
+    tcpPorts."80" = {
+      host = "baikonur.dyn.weimarnetz.de";
+      port = 80;
+    };
+    tcpPorts."443" = {
+      host = "baikonur.dyn.weimarnetz.de";
+      port = 443;
+    };
     tcpPorts."2022" = {
       host = "nonat.net.clerie.de";
       port = 22;

From 92f84951110632360b74ba37321060f361b65886 Mon Sep 17 00:00:00 2001
From: clerie <git@clerie.de>
Date: Sat, 31 May 2025 13:03:00 +0200
Subject: [PATCH 3/4] modules/nginx-port-forward: Automatically reresolve
 hostnames

---
 modules/nginx-port-forward/default.nix | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/modules/nginx-port-forward/default.nix b/modules/nginx-port-forward/default.nix
index b0d4817..c54e018 100644
--- a/modules/nginx-port-forward/default.nix
+++ b/modules/nginx-port-forward/default.nix
@@ -24,6 +24,8 @@ let
 
   portForwardConf = ''
     stream {
+      resolver 127.0.0.53;
+
       ${ concatStringsSep "\n" (mapAttrsToList (mkServerBlock false) cfg.tcpPorts) }
       ${ concatStringsSep "\n" (mapAttrsToList (mkServerBlock true) cfg.udpPorts) }
     }

From 82deb5e772c2d02410e8b5d3f9a76dd1eb27b75e Mon Sep 17 00:00:00 2001
From: Flake Update Bot <flake-update-bot@clerie.de>
Date: Sun, 1 Jun 2025 03:03:06 +0200
Subject: [PATCH 4/4] Update nixpkgs 2025-06-01-01-03

---
 flake.lock | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/flake.lock b/flake.lock
index 1dfdc50..64b05dd 100644
--- a/flake.lock
+++ b/flake.lock
@@ -551,11 +551,11 @@
     },
     "nixpkgs_3": {
       "locked": {
-        "lastModified": 1748190013,
-        "narHash": "sha256-R5HJFflOfsP5FBtk+zE8FpL8uqE7n62jqOsADvVshhE=",
+        "lastModified": 1748460289,
+        "narHash": "sha256-7doLyJBzCllvqX4gszYtmZUToxKvMUrg45EUWaUYmBg=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "62b852f6c6742134ade1abdd2a21685fd617a291",
+        "rev": "96ec055edbe5ee227f28cdbc3f1ddf1df5965102",
         "type": "github"
       },
       "original": {