fleet: init

Co-authored-by: edef <edef@unfathomable.blue>
Change-Id: I36d2c4cca542ed91630b1b832f3c7a7b97b33c65

1 files changed, 46 insertions, 0 deletions

diff --git a/fleet/modules/web.nix b/fleet/modules/web.nix
new file mode 100644
index 0000000..709b1e4
--- /dev/null
+++ b/fleet/modules/web.nix
@@ -0,0 +1,46 @@
+# SPDX-FileCopyrightText: V <v@unfathomable.blue>
+# SPDX-License-Identifier: OSL-3.0
+
+{ lib, pkgs, ... }:
+
+{
+  services.caddy = {
+    enable = true;
+
+    # Snippets must be defined before they are used, so the mkBefore ensures they come first.
+    config = lib.mkBefore ''
+      (all) {
+        log {
+          output file /var/log/caddy/access.log
+        }
+        header -Server
+      }
+
+      http:// {
+        import all
+        redir https://{host}{uri} 308
+      }
+
+      (common) {
+        import all
+
+        encode zstd gzip
+
+        header {
+          Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
+          Content-Security-Policy "script-src 'none'; object-src 'none'"
+          Permissions-Policy "interest-cohort=()"
+          X-Clacks-Overhead "GNU Terry Pratchett"
+        }
+
+        handle_errors {
+          respond "{http.error.status_code} {http.error.status_text}"
+        }
+      }
+    '';
+  };
+
+  systemd.services.caddy.serviceConfig.LogsDirectory = "caddy";
+
+  networking.firewall.interfaces.ens3.allowedTCPPorts = [ 80 443 ];
+}