diff --git a/lib/mk_raspi.nix b/lib/mk_raspi.nix index 2ef5631..089f4af 100644 --- a/lib/mk_raspi.nix +++ b/lib/mk_raspi.nix @@ -4,7 +4,8 @@ modules = ( [ # System configuration for this host - "${inputs.self}/systems/${hostname}" + (import "${inputs.self}/systems/${hostname}" + { inherit custom hostname inputs pkgs; }) # Common configuration "${inputs.self}/modules/common" diff --git a/modules/restic-server-client/default.nix b/modules/restic-server-client/default.nix index 56b97f3..531a92a 100644 --- a/modules/restic-server-client/default.nix +++ b/modules/restic-server-client/default.nix @@ -1,4 +1,4 @@ -{ config, inputs, custom, pkgs, time, ... }: +{ hostname, inputs, custom, pkgs, time, ... }: { imports = [ "${inputs.self}/modules/telegram-notifications" @@ -28,7 +28,7 @@ ${pkgs.restic}/bin/restic forget \ --tag home-dir \ - --host ${config.networking.hostName} \ + --host ${hostname} \ --keep-daily 7 \ --keep-weekly 5 \ --keep-monthly 12 \ diff --git a/systems/proxy/default.nix b/systems/proxy/default.nix index e82d25e..08986a1 100644 --- a/systems/proxy/default.nix +++ b/systems/proxy/default.nix @@ -1,13 +1,12 @@ -{ config, custom, inputs, pkgs, ... }: +{ custom, hostname, inputs, pkgs, ... }: { imports = [ (import "${inputs.self}/systems/raspi4" { - hostname = "proxy"; ip = "10.7.89.99"; - inherit inputs pkgs; + inherit hostname inputs pkgs; }) (import "${inputs.self}/modules/restic-server-client" { - time = "11:30"; inherit config custom inputs pkgs; + time = "11:30"; inherit custom hostname inputs pkgs; }) "${inputs.self}/modules/nginx-acme-base" "${inputs.self}/modules/docker" diff --git a/systems/raspi-test/default.nix b/systems/raspi-test/default.nix index 7614d61..152db84 100644 --- a/systems/raspi-test/default.nix +++ b/systems/raspi-test/default.nix @@ -1,77 +1,11 @@ -{ config, custom, inputs, pkgs, ... }: +{ hostname, inputs, pkgs, ... }: { imports = [ (import "${inputs.self}/systems/raspi4" { - hostname = "raspi-test"; - ip = "10.7.89.99"; - inherit inputs pkgs; + ip = "10.7.89.150"; + inherit hostname inputs pkgs; }) - (import "${inputs.self}/modules/restic-server-client" { - time = "11:30"; inherit config custom inputs pkgs; - }) - "${inputs.self}/modules/nginx-acme-base" "${inputs.self}/modules/docker" - "${inputs.self}/modules/haproxy" "${inputs.self}/modules/tmux" ]; - - services.nginx = { - commonHttpConfig = '' - # Add HSTS header with preloading to HTTPS requests. - # Adding this header to HTTP requests is discouraged - map $scheme $hsts_header { - https "max-age=63072000; includeSubdomains; preload"; - } - add_header Strict-Transport-Security $hsts_header; - - # Enable CSP for your services. - #add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; - - # Minimize information leaked to other domains - add_header 'Referrer-Policy' 'origin-when-cross-origin'; - - # Disable embedding as a frame - add_header X-Frame-Options DENY; - - # Prevent injection of code in other mime types (XSS Attacks) - add_header X-Content-Type-Options nosniff; - - # Enable XSS protection of the browser. - # May be unnecessary when CSP is configured properly (see above) - add_header X-XSS-Protection "1; mode=block"; - - # This might create errors - proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; - ''; - virtualHosts = { - "2li.ch" = { - serverAliases = [ "www.2li.ch" ]; - enableACME = true; - forceSSL = true; - listen = [{ port = 4433; addr = "127.0.0.1"; ssl = true; }]; - locations."/" = { - proxyPass = "http://127.0.0.1:8080"; - proxyWebsockets = true; # needed if you need to use WebSocket - }; - }; - "heimdall.2li.ch" = { - enableACME = true; - forceSSL = true; - listen = [{ port = 4433; addr = "127.0.0.1"; ssl = true; }]; - locations."/" = { - proxyPass = "http://127.0.0.1:8081"; - proxyWebsockets = true; # needed if you need to use WebSocket - }; - }; - "rss-bridge.2li.ch" = { - enableACME = true; - forceSSL = true; - listen = [{ port = 4433; addr = "127.0.0.1"; ssl = true; }]; - locations."/" = { - proxyPass = "http://127.0.0.1:8082"; - proxyWebsockets = true; # needed if you need to use WebSocket - }; - }; - }; - }; }