{ config, pkgs, ... }: let elementAdminVersion = "0.1.4"; elementAdmin = pkgs.stdenv.mkDerivation (finalAttrs: { pname = "element-admin"; version = elementAdminVersion; src = pkgs.fetchzip { url = "https://github.com/element-hq/element-admin/archive/refs/tags/v${elementAdminVersion}.zip"; sha256 = "sha256-dTHE0rg7W0k4e12s3v8yD/rBOYpIEqNN1VV4P3KtpQs="; }; nativeBuildInputs = [ pkgs.nodejs pkgs.pnpm.configHook ]; pnpmDeps = pkgs.pnpm.fetchDeps { inherit (finalAttrs) pname version src; fetcherVersion = 2; hash = "sha256-YBSZIHNffS3Um0imYNmX9c1q193rphr+8lQ4tp7AcXw="; }; buildPhase = '' pnpm build ''; installPhase = '' cp -a dist $out ''; }); in { services.nginx = { enable = true; virtualHosts."acme-element-admin.hamburg.ccc.de" = { enableACME = true; serverName = "element-admin.hamburg.ccc.de"; listen = [ { addr = "0.0.0.0"; port = 31820; } ]; }; virtualHosts."element-admin.hamburg.ccc.de" = { forceSSL = true; useACMEHost = "element-admin.hamburg.ccc.de"; listen = [ { addr = "0.0.0.0"; port = 8443; ssl = true; proxyProtocol = true; } ]; root = elementAdmin; locations."/assets" = { extraConfig = '' expires 1y; add_header Cache-Control "public, max-age=31536000, immutable"; # Security headers. add_header X-Frame-Options "DENY" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always; add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always; ''; }; locations."/" = { index = "/index.html"; tryFiles = "$uri $uri/ /"; extraConfig = '' # Security headers. add_header X-Frame-Options "DENY" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always; add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always; ''; }; extraConfig = '' # Security headers. add_header X-Frame-Options "DENY" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Referrer-Policy "strict-origin-when-cross-origin" always; add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' blob: data:; font-src 'self'; connect-src *; object-src 'none'; media-src 'self'; child-src 'none'; worker-src 'self'; manifest-src 'self';" always; add_header Permissions-Policy "geolocation=(), camera=(), microphone=(), payment=(), usb=(), magnetometer=(), accelerometer=(), gyroscope=()" always; # Make use of the ngx_http_realip_module to set the $remote_addr and # $remote_port to the client address and client port, when using proxy # protocol. # First set our proxy protocol proxy as trusted. set_real_ip_from 172.31.17.140; # Then tell the realip_module to get the addreses from the proxy protocol # header. real_ip_header proxy_protocol; ''; }; }; networking.firewall.allowedTCPPorts = [ 8443 31820 ]; }