From 17c445c8e45df2f50633794015f1011d84b55627 Mon Sep 17 00:00:00 2001 From: Daniel Kempkens Date: Mon, 6 Mar 2023 23:39:49 +0100 Subject: [PATCH] sail: Fix HSTS preload entries --- container/webserver/default.nix | 1 + system/nixos/freshrss.nix | 4 ++++ system/nixos/mastodon.nix | 4 ++++ system/nixos/ntfy-sh.nix | 22 ++++++++++++---------- system/nixos/synapse.nix | 4 ++++ 5 files changed, 25 insertions(+), 10 deletions(-) diff --git a/container/webserver/default.nix b/container/webserver/default.nix index 9fe7bf3..3115b30 100644 --- a/container/webserver/default.nix +++ b/container/webserver/default.nix @@ -51,6 +51,7 @@ in extraConfig = '' index index.html; + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; ''; locations."~* \.html$".extraConfig = '' diff --git a/system/nixos/freshrss.nix b/system/nixos/freshrss.nix index 2ba4c31..4062b20 100644 --- a/system/nixos/freshrss.nix +++ b/system/nixos/freshrss.nix @@ -27,6 +27,10 @@ forceSSL = true; useACMEHost = "kempkens.io"; + extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + ''; + # php files handling # this regex is mandatory because of the API locations."~ ^.+?\.php(/.*)?$".extraConfig = '' diff --git a/system/nixos/mastodon.nix b/system/nixos/mastodon.nix index 7238ef2..ec3ce0e 100644 --- a/system/nixos/mastodon.nix +++ b/system/nixos/mastodon.nix @@ -77,6 +77,10 @@ in forceSSL = true; useACMEHost = "kempkens.io"; + extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + ''; + locations."/system/" = { extraConfig = '' rewrite ^/system/?(.*)$ https://mastodon-cdn.kempkens.io/$1 permanent; diff --git a/system/nixos/ntfy-sh.nix b/system/nixos/ntfy-sh.nix index 92802ce..920baf8 100644 --- a/system/nixos/ntfy-sh.nix +++ b/system/nixos/ntfy-sh.nix @@ -20,18 +20,20 @@ }; }; - services.nginx = { - virtualHosts."ntfy.kempkens.io" = { - http3 = true; + services.nginx.virtualHosts."ntfy.kempkens.io" = { + http3 = true; - forceSSL = true; - useACMEHost = "kempkens.io"; + forceSSL = true; + useACMEHost = "kempkens.io"; - locations."/" = { - recommendedProxySettings = true; - proxyWebsockets = true; - proxyPass = "http://127.0.0.1:8004"; - }; + extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + ''; + + locations."/" = { + recommendedProxySettings = true; + proxyWebsockets = true; + proxyPass = "http://127.0.0.1:8004"; }; }; } diff --git a/system/nixos/synapse.nix b/system/nixos/synapse.nix index a99b54a..5dcf1f6 100644 --- a/system/nixos/synapse.nix +++ b/system/nixos/synapse.nix @@ -95,6 +95,10 @@ forceSSL = true; useACMEHost = "kempkens.io"; + extraConfig = '' + add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always; + ''; + locations."~ ^(/_matrix|/_synapse/client)" = { recommendedProxySettings = true; proxyPass = "http://127.0.0.1:8008";