nix-infra/config/hosts/public-web-static/virtualHosts/element.hamburg.ccc.de.nix

94 lines
2.7 KiB
Nix
Raw Normal View History

{ pkgs, ... }:
let
element-web = pkgs.fetchzip {
url = "https://github.com/vector-im/element-web/releases/download/v1.11.45/element-v1.11.45.tar.gz";
sha256 = "sha256-nwRsBIF9vcHZkyVsLA2sU2cmuzALEIIOcWQRGfd+5xs=";
};
elementSecurityHeaders = ''
# Configuration best practices
# See: https://github.com/vector-im/element-web/tree/develop#configuration-best-practices
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'none'";
add_header Strict-Transport-Security "max-age=63072000" always;
'';
in
{
services.nginx.virtualHosts = {
"acme-element.hamburg.ccc.de" = {
default = true;
enableACME = true;
serverName = "element.hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 31820;
}
];
};
"element.hamburg.ccc.de" = {
default = true;
forceSSL = true;
useACMEHost = "element.hamburg.ccc.de";
listen = [
{
addr = "0.0.0.0";
port = 8443;
ssl = true;
extraParameters = [ "proxy_protocol" ];
}
];
root = pkgs.buildEnv {
name = "element-web";
paths = [
element-web
./element-web-config
];
};
# Set no-cache for the version, config and index.html
# so that browsers always check for a new copy of Element Web.
# NB http://your-domain/ and http://your-domain/? are also covered by this
locations."= /index.html" = {
extraConfig = elementSecurityHeaders + ''
add_header Cache-Control "no-cache";
'';
};
locations."= /version" = {
extraConfig = elementSecurityHeaders + ''
add_header Cache-Control "no-cache";
'';
};
# covers config.json and config.hostname.json requests as it is prefix.
locations."/config" = {
extraConfig = elementSecurityHeaders + ''
add_header Cache-Control "no-cache";
'';
};
extraConfig = elementSecurityHeaders + ''
index index.html;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
# Make use of the ngx_http_realip_module to set the $remote_addr and
# $remote_port to the client address and client port, when using proxy
# protocol.
# First set our proxy protocol proxy as trusted.
set_real_ip_from 172.31.17.140;
# Then tell the realip_module to get the addreses from the proxy protocol
# header.
real_ip_header proxy_protocol;
'';
};
};
}