sail: Fix HSTS preload entries

2023-03-06 23:39:49 +01:00 · 2023-03-06 23:39:49 +01:00 · 17c445c8e4
commit 17c445c8e4
parent 6adbb3bbda
5 changed files with 25 additions and 10 deletions
--- a/container/webserver/default.nix
+++ b/container/webserver/default.nix
@ -51,6 +51,7 @@ in

    extraConfig = ''
      index index.html;
+      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
    '';

    locations."~* \.html$".extraConfig = ''
--- a/system/nixos/freshrss.nix
+++ b/system/nixos/freshrss.nix
@ -27,6 +27,10 @@
    forceSSL = true;
    useACMEHost = "kempkens.io";

+    extraConfig = ''
+      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+    '';
+
    # php files handling
    # this regex is mandatory because of the API
    locations."~ ^.+?\.php(/.*)?$".extraConfig = ''
--- a/system/nixos/mastodon.nix
+++ b/system/nixos/mastodon.nix
@ -77,6 +77,10 @@ in
    forceSSL = true;
    useACMEHost = "kempkens.io";

+    extraConfig = ''
+      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+    '';
+
    locations."/system/" = {
      extraConfig = ''
        rewrite ^/system/?(.*)$ https://mastodon-cdn.kempkens.io/$1 permanent;
--- a/system/nixos/ntfy-sh.nix
+++ b/system/nixos/ntfy-sh.nix
@ -20,18 +20,20 @@
    };
  };

-  services.nginx = {
-    virtualHosts."ntfy.kempkens.io" = {
-      http3 = true;
+  services.nginx.virtualHosts."ntfy.kempkens.io" = {
+    http3 = true;

-      forceSSL = true;
-      useACMEHost = "kempkens.io";
+    forceSSL = true;
+    useACMEHost = "kempkens.io";

-      locations."/" = {
-        recommendedProxySettings = true;
-        proxyWebsockets = true;
-        proxyPass = "http://127.0.0.1:8004";
-      };
+    extraConfig = ''
+      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+    '';
+
+    locations."/" = {
+      recommendedProxySettings = true;
+      proxyWebsockets = true;
+      proxyPass = "http://127.0.0.1:8004";
    };
  };
 }
--- a/system/nixos/synapse.nix
+++ b/system/nixos/synapse.nix
@ -95,6 +95,10 @@
    forceSSL = true;
    useACMEHost = "kempkens.io";

+    extraConfig = ''
+      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+    '';
+
    locations."~ ^(/_matrix|/_synapse/client)" = {
      recommendedProxySettings = true;
      proxyPass = "http://127.0.0.1:8008";