commit f0bb2932b6c5891ccb15c49d35a81fc68abdb789
parent ed750ece29d378e6416c609b2522c8fef396672d
Author: Vincent Demeester <vincent@sbr.pm>
Date: Fri, 12 Jun 2020 13:46:03 +0200
systems/kerkouane: add more config to nginx
Add some security and cache headers.
Signed-off-by: Vincent Demeester <vincent@sbr.pm>
Diffstat:
1 file changed, 16 insertions(+), 0 deletions(-)
diff --git a/systems/kerkouane.nix b/systems/kerkouane.nix
@@ -11,6 +11,16 @@ let
sshPort = if secretCondition then (import secretPath).ssh.kerkouane.port else 22;
+ nginxExtraConfig = ''
+ expires 31d;
+ add_header Cache-Control "public, max-age=604800, immutable"
+ add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
+ add_header X-Content-Type-Options "nosniff"
+ add_header X-Frame-Options "SAMEORIGIN"
+ add_header X-Content-Security-Policy "default-src 'self' *.sbr.pm *.sbr.systems"
+ add_header X-XSS-Protection "1; mode=block"
+ '';
+
sources = import ../nix/sources.nix;
in
{
@@ -83,6 +93,7 @@ in
locations."/" = {
index = "index.html";
};
+ extraConfig = nginxExtraConfig;
};
virtualHosts."paste.sbr.pm" = {
enableACME = true;
@@ -91,11 +102,13 @@ in
locations."/" = {
index = "index.html";
};
+ extraConfig = nginxExtraConfig;
};
virtualHosts."go.sbr.pm" = {
enableACME = true;
forceSSL = true;
locations."/" = { proxyPass = "http://127.0.0.1:8080"; };
+ extraConfig = nginxExtraConfig;
};
virtualHosts."sbr.pm" = {
enableACME = true;
@@ -104,6 +117,7 @@ in
locations."/" = {
index = "index.html";
};
+ extraConfig = nginxExtraConfig;
};
virtualHosts."sbr.systems" = {
enableACME = true;
@@ -112,6 +126,7 @@ in
locations."/" = {
index = "index.html";
};
+ extraConfig = nginxExtraConfig;
};
virtualHosts."vincent.demeester.fr" = {
enableACME = true;
@@ -120,6 +135,7 @@ in
locations."/" = {
index = "index.html";
};
+ extraConfig = nginxExtraConfig;
};
};
openssh.ports = [ sshPort ];