nixos/systems/proxy/default.nix

{ hostname }: { inputs, pkgs, ... }:
{
  imports = [
    (import "${inputs.self}/systems/raspi4" {
      ip = "10.7.89.99";
      inherit hostname;
    })
  ];

  services = {
    az-acme-base.enable = true;
    az-grav.enable = true;
    az-haproxy.enable = true;
    az-heimdall.enable = true;
    az-restic-client-server = {
      enable = true;
      path = "/home/andreas";
      time = "00:00";
    };
    nginx = {
      commonHttpConfig = ''
        # Add HSTS header with preloading to HTTPS requests.
        # Adding this header to HTTP requests is discouraged
        # Enable CSP for your services.
        #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;

        # Minimize information leaked to other domains
        add_header 'Referrer-Policy' 'origin-when-cross-origin';

        # Disable embedding as a frame
        add_header X-Frame-Options DENY;

        # Prevent injection of code in other mime types (XSS Attacks)
        add_header X-Content-Type-Options nosniff;

        # Enable XSS protection of the browser.
        # May be unnecessary when CSP is configured properly (see above)
        add_header X-XSS-Protection "1; mode=block";

        # This might create errors
        proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
      '';
      recommendedProxySettings = true;
      virtualHosts = {
        "2li.ch" = {
          serverAliases = [ "www.2li.ch" ];
          enableACME = true;
          forceSSL = true;
          listen = [{ port = 4433; addr = "127.0.0.1"; ssl = true; }];
          locations."/" = {
            proxyPass = "http://127.0.0.1:8080";
            proxyWebsockets = true; # needed if you need to use WebSocket
          };
        };
        "heimdall.2li.ch" = {
          enableACME = true;
          forceSSL = true;
          listen = [{ port = 4433; addr = "127.0.0.1"; ssl = true; }];
          locations."/" = {
            proxyPass = "http://127.0.0.1:8081";
            proxyWebsockets = true; # needed if you need to use WebSocket
          };
        };
      };
    };
  };
}
Remove custom from modules 2023-05-29 16:21:23 +02:00			`{ hostname }: { inputs, pkgs, ... }:`
rewrite proxy 2022-02-28 21:19:55 +01:00			`{`
			`imports = [`
Remove custom from modules 2023-05-29 16:21:23 +02:00			`(import "${inputs.self}/systems/raspi4" {`
Update the proxy config 2022-09-06 19:38:53 +02:00			`ip = "10.7.89.99";`
Remove custom from modules 2023-05-29 16:21:23 +02:00			`inherit hostname;`
rewrite proxy 2022-02-28 21:19:55 +01:00			`})`
			`];`
Update the proxy config 2022-09-06 19:38:53 +02:00
Move Grav into options 2023-06-05 15:14:06 +02:00			`services = {`
Move acme-base into options 2023-06-05 15:58:28 +02:00			`az-acme-base.enable = true;`
Move Grav into options 2023-06-05 15:14:06 +02:00			`az-grav.enable = true;`
Move haproxy into options 2023-06-05 15:21:11 +02:00			`az-haproxy.enable = true;`
Move heimdall into options 2023-06-05 15:23:53 +02:00			`az-heimdall.enable = true;`
Move restic-client-server into options 2023-06-06 22:09:36 +02:00			`az-restic-client-server = {`
			`enable = true;`
			`path = "/home/andreas";`
			`time = "00:00";`
			`};`
Move Grav into options 2023-06-05 15:14:06 +02:00			`nginx = {`
			`commonHttpConfig = ''`
			`# Add HSTS header with preloading to HTTPS requests.`
			`# Adding this header to HTTP requests is discouraged`
			`# Enable CSP for your services.`
			`#add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;`
Update the proxy config 2022-09-06 19:38:53 +02:00
Move Grav into options 2023-06-05 15:14:06 +02:00			`# Minimize information leaked to other domains`
			`add_header 'Referrer-Policy' 'origin-when-cross-origin';`
Update the proxy config 2022-09-06 19:38:53 +02:00
Move Grav into options 2023-06-05 15:14:06 +02:00			`# Disable embedding as a frame`
			`add_header X-Frame-Options DENY;`
Update the proxy config 2022-09-06 19:38:53 +02:00
Move Grav into options 2023-06-05 15:14:06 +02:00			`# Prevent injection of code in other mime types (XSS Attacks)`
			`add_header X-Content-Type-Options nosniff;`
Update the proxy config 2022-09-06 19:38:53 +02:00
Move Grav into options 2023-06-05 15:14:06 +02:00			`# Enable XSS protection of the browser.`
			`# May be unnecessary when CSP is configured properly (see above)`
			`add_header X-XSS-Protection "1; mode=block";`
Update the proxy config 2022-09-06 19:38:53 +02:00
Move Grav into options 2023-06-05 15:14:06 +02:00			`# This might create errors`
			`proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";`
			`'';`
			`recommendedProxySettings = true;`
			`virtualHosts = {`
			`"2li.ch" = {`
			`serverAliases = [ "www.2li.ch" ];`
			`enableACME = true;`
			`forceSSL = true;`
			`listen = [{ port = 4433; addr = "127.0.0.1"; ssl = true; }];`
			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:8080";`
			`proxyWebsockets = true; # needed if you need to use WebSocket`
			`};`
Update the proxy config 2022-09-06 19:38:53 +02:00			`};`
Move Grav into options 2023-06-05 15:14:06 +02:00			`"heimdall.2li.ch" = {`
			`enableACME = true;`
			`forceSSL = true;`
			`listen = [{ port = 4433; addr = "127.0.0.1"; ssl = true; }];`
			`locations."/" = {`
			`proxyPass = "http://127.0.0.1:8081";`
			`proxyWebsockets = true; # needed if you need to use WebSocket`
			`};`
Move the nginx configs back to the system I think should try to keep modules separate from each other and combine them on the host level to keep them more flexible. 2022-11-02 21:05:56 +01:00			`};`
			`};`
Update the proxy config 2022-09-06 19:38:53 +02:00			`};`
			`};`
rewrite proxy 2022-02-28 21:19:55 +01:00			`}`