blob: b4328b7c37d8bbb569b66e621d59b5117fac3a44 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
# SPDX-FileCopyrightText: V <v@unfathomable.blue>
# SPDX-License-Identifier: OSL-3.0
{ lib, pkgs, ... }:
{
services.caddy = {
enable = true;
# Snippets must be defined before they are used, so the mkBefore ensures they come first.
extraConfig = lib.mkBefore ''
(all) {
log {
output file /var/log/caddy/access.log
}
header -Server
}
http:// {
import all
redir https://{host}{uri} 308
}
(common) {
import all
encode zstd gzip
header {
Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
# TODO(V): Define a content security policy. Make it report-only at first, to avoid breaking things.
Permissions-Policy "interest-cohort=()"
X-Clacks-Overhead "GNU Terry Pratchett"
}
handle_errors {
respond "{http.error.status_code} {http.error.status_text}"
}
}
'';
};
networking.firewall.interfaces.ens3.allowedTCPPorts = [ 80 443 ];
}
|
