forked from CCCHH/nix-infra
94 lines
2.7 KiB
Nix
94 lines
2.7 KiB
Nix
|
{ pkgs, ... }:
|
||
|
|
||
|
let
|
||
|
element-web = pkgs.fetchzip {
|
||
|
url = "https://github.com/vector-im/element-web/releases/download/v1.11.45/element-v1.11.45.tar.gz";
|
||
|
sha256 = "sha256-nwRsBIF9vcHZkyVsLA2sU2cmuzALEIIOcWQRGfd+5xs=";
|
||
|
};
|
||
|
elementSecurityHeaders = ''
|
||
|
# Configuration best practices
|
||
|
# See: https://github.com/vector-im/element-web/tree/develop#configuration-best-practices
|
||
|
add_header X-Frame-Options SAMEORIGIN;
|
||
|
add_header X-Content-Type-Options nosniff;
|
||
|
add_header X-XSS-Protection "1; mode=block";
|
||
|
add_header Content-Security-Policy "frame-ancestors 'none'";
|
||
|
|
||
|
add_header Strict-Transport-Security "max-age=63072000" always;
|
||
|
'';
|
||
|
in
|
||
|
{
|
||
|
services.nginx.virtualHosts = {
|
||
|
"acme-element.hamburg.ccc.de" = {
|
||
|
default = true;
|
||
|
enableACME = true;
|
||
|
serverName = "element.hamburg.ccc.de";
|
||
|
|
||
|
listen = [
|
||
|
{
|
||
|
addr = "0.0.0.0";
|
||
|
port = 31820;
|
||
|
}
|
||
|
];
|
||
|
};
|
||
|
|
||
|
"element.hamburg.ccc.de" = {
|
||
|
default = true;
|
||
|
forceSSL = true;
|
||
|
useACMEHost = "element.hamburg.ccc.de";
|
||
|
|
||
|
listen = [
|
||
|
{
|
||
|
addr = "0.0.0.0";
|
||
|
port = 8443;
|
||
|
ssl = true;
|
||
|
extraParameters = [ "proxy_protocol" ];
|
||
|
}
|
||
|
];
|
||
|
|
||
|
root = pkgs.buildEnv {
|
||
|
name = "element-web";
|
||
|
paths = [
|
||
|
element-web
|
||
|
./element-web-config
|
||
|
];
|
||
|
};
|
||
|
|
||
|
# Set no-cache for the version, config and index.html
|
||
|
# so that browsers always check for a new copy of Element Web.
|
||
|
# NB http://your-domain/ and http://your-domain/? are also covered by this
|
||
|
|
||
|
locations."= /index.html" = {
|
||
|
extraConfig = elementSecurityHeaders + ''
|
||
|
add_header Cache-Control "no-cache";
|
||
|
'';
|
||
|
};
|
||
|
locations."= /version" = {
|
||
|
extraConfig = elementSecurityHeaders + ''
|
||
|
add_header Cache-Control "no-cache";
|
||
|
'';
|
||
|
};
|
||
|
# covers config.json and config.hostname.json requests as it is prefix.
|
||
|
locations."/config" = {
|
||
|
extraConfig = elementSecurityHeaders + ''
|
||
|
add_header Cache-Control "no-cache";
|
||
|
'';
|
||
|
};
|
||
|
extraConfig = elementSecurityHeaders + ''
|
||
|
index index.html;
|
||
|
|
||
|
# redirect server error pages to the static page /50x.html
|
||
|
error_page 500 502 503 504 /50x.html;
|
||
|
|
||
|
# Make use of the ngx_http_realip_module to set the $remote_addr and
|
||
|
# $remote_port to the client address and client port, when using proxy
|
||
|
# protocol.
|
||
|
# First set our proxy protocol proxy as trusted.
|
||
|
set_real_ip_from 172.31.17.140;
|
||
|
# Then tell the realip_module to get the addreses from the proxy protocol
|
||
|
# header.
|
||
|
real_ip_header proxy_protocol;
|
||
|
'';
|
||
|
};
|
||
|
};
|
||
|
}
|