home

Unnamed repository; edit this file 'description' to name the repository.
Log | Files | Refs | README | LICENSE

commit f0bb2932b6c5891ccb15c49d35a81fc68abdb789
parent ed750ece29d378e6416c609b2522c8fef396672d
Author: Vincent Demeester <vincent@sbr.pm>
Date:   Fri, 12 Jun 2020 13:46:03 +0200

systems/kerkouane: add more config to nginx

Add some security and cache headers.

Signed-off-by: Vincent Demeester <vincent@sbr.pm>

Diffstat:
Msystems/kerkouane.nix | 16++++++++++++++++
1 file changed, 16 insertions(+), 0 deletions(-)

diff --git a/systems/kerkouane.nix b/systems/kerkouane.nix @@ -11,6 +11,16 @@ let sshPort = if secretCondition then (import secretPath).ssh.kerkouane.port else 22; + nginxExtraConfig = '' + expires 31d; + add_header Cache-Control "public, max-age=604800, immutable" + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; + add_header X-Content-Type-Options "nosniff" + add_header X-Frame-Options "SAMEORIGIN" + add_header X-Content-Security-Policy "default-src 'self' *.sbr.pm *.sbr.systems" + add_header X-XSS-Protection "1; mode=block" + ''; + sources = import ../nix/sources.nix; in { @@ -83,6 +93,7 @@ in locations."/" = { index = "index.html"; }; + extraConfig = nginxExtraConfig; }; virtualHosts."paste.sbr.pm" = { enableACME = true; @@ -91,11 +102,13 @@ in locations."/" = { index = "index.html"; }; + extraConfig = nginxExtraConfig; }; virtualHosts."go.sbr.pm" = { enableACME = true; forceSSL = true; locations."/" = { proxyPass = "http://127.0.0.1:8080"; }; + extraConfig = nginxExtraConfig; }; virtualHosts."sbr.pm" = { enableACME = true; @@ -104,6 +117,7 @@ in locations."/" = { index = "index.html"; }; + extraConfig = nginxExtraConfig; }; virtualHosts."sbr.systems" = { enableACME = true; @@ -112,6 +126,7 @@ in locations."/" = { index = "index.html"; }; + extraConfig = nginxExtraConfig; }; virtualHosts."vincent.demeester.fr" = { enableACME = true; @@ -120,6 +135,7 @@ in locations."/" = { index = "index.html"; }; + extraConfig = nginxExtraConfig; }; }; openssh.ports = [ sshPort ];