HTTP headers

3b199a08 · erdnaxe · 860782dc · 3b199a08 · 3b199a08 · 3b199a08
Commit 3b199a08 authored May 29, 2022 by erdnaxe 🦋
--- a/base/letsencrypt.nix
+++ b/base/letsencrypt.nix
@@ -10,8 +10,5 @@
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
-    commonHttpConfig = ''
-      add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
-    '';
  };
 }
--- a/services/bmpc.nix
+++ b/services/bmpc.nix
@@ -17,6 +17,12 @@ in
      enableACME = true;
      forceSSL = true;
      root = "${bmpc}/static";
+      extraConfig = ''
+        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-Frame-Options deny;
+        add_header X-XSS-Protection "1; mode=block";
+      '';
    };
  };
 }
--- a/services/element.nix
+++ b/services/element.nix
@@ -3,26 +3,35 @@
 {
  networking.firewall.allowedTCPPorts = [ 80 443 ];

-  services.nginx.virtualHosts."chat.iooss.fr" = {
-    enableACME = true;
-    forceSSL = true;
-    root = pkgs.element-web.override {
-      conf = {
-        default_server_config = {
-          "m.homeserver" = {
-            "base_url" = "https://iooss.fr";
-            "server_name" = "iooss.fr";
+  services.nginx = {
+    enable = true;
+    virtualHosts."chat.iooss.fr" = {
+      enableACME = true;
+      forceSSL = true;
+      root = pkgs.element-web.override {
+        conf = {
+          default_server_config = {
+            "m.homeserver" = {
+              "base_url" = "https://iooss.fr";
+              "server_name" = "iooss.fr";
+            };
+            "m.identity_server".base_url = "";
          };
-          "m.identity_server".base_url = "";
+          disable_3pid_login = true;
+          integrations_ui_url = "";
+          integrations_rest_url = "";
+          integrations_widgets_urls = [ ];
+          bug_report_endpoint_url = "";
+          showLabsSettings = true;
+          jitsi.preferredDomain = "jitsi.crans.org";
        };
-        disable_3pid_login = true;
-        integrations_ui_url = "";
-        integrations_rest_url = "";
-        integrations_widgets_urls = [ ];
-        bug_report_endpoint_url = "";
-        showLabsSettings = true;
-        jitsi.preferredDomain = "jitsi.crans.org";
      };
+      extraConfig = ''
+        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-Frame-Options deny;
+        add_header X-XSS-Protection "1; mode=block";
+      '';
    };
  };
 }
--- a/services/gitea.nix
+++ b/services/gitea.nix
@@ -28,6 +28,11 @@
      enableACME = true;
      forceSSL = true;
      locations."/" = { proxyPass = "http://[::1]:3000"; };
+      extraConfig = ''
+        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+      '';
    };
  };
 }
--- a/services/grafana.nix
+++ b/services/grafana.nix
@@ -22,6 +22,9 @@
      enableACME = true;
      forceSSL = true;
      locations."/" = { proxyPass = "http://127.0.0.1:3001"; };
+      extraConfig = ''
+        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
+      '';
    };
  };
 }
--- a/services/grimorio.nix
+++ b/services/grimorio.nix
@@ -7,6 +7,11 @@
      enableACME = true;
      forceSSL = true;
      root = "/var/www/grimorio/";
+      extraConfig = ''
+        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-Frame-Options deny;
+      '';
    };
  };
 }
--- a/services/libreddit.nix
+++ b/services/libreddit.nix
@@ -43,6 +43,9 @@
        proxyPass = "http://127.0.0.1:3003";
        proxyWebsockets = true;
      };
+      extraConfig = ''
+        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
+      '';
    };
  };
 }
--- a/services/radicale.nix
+++ b/services/radicale.nix
@@ -16,6 +16,12 @@
      enableACME = true;
      forceSSL = true;
      locations."/" = { proxyPass = "http://localhost:5232"; };
+      extraConfig = ''
+        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-Frame-Options deny;
+        add_header X-XSS-Protection "1; mode=block";
+      '';
    };
  };
 }
--- a/services/tvla.nix
+++ b/services/tvla.nix
@@ -14,6 +14,12 @@
        rev = "d06c54a164e9b14f5dcf7b0d58de89b70379c071";
        sha256 = "0gmm49bqrqqn0j8n3icl4jwax893p3d7zsn25azijp8q2p07z5nv";
      };
+      extraConfig = ''
+        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload" always;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-Frame-Options deny;
+        add_header X-XSS-Protection "1; mode=block";
+      '';
    };
  };
 }