diff options
author | V <v@unfathomable.blue> | 2021-06-09 15:43:16 +0200 |
---|---|---|
committer | V <v@unfathomable.blue> | 2021-08-17 03:09:34 +0200 |
commit | ec0965e2672899d25a5a3a8c072de3ea734076a2 (patch) | |
tree | ddf53e6cc5ae47fa1a925f7a7d6414ba03718a84 /fleet/modules/web.nix | |
parent | db7c54f92f386a94db8af7a12626d2657b4dd640 (diff) |
fleet: init
Co-authored-by: edef <edef@unfathomable.blue> Change-Id: I36d2c4cca542ed91630b1b832f3c7a7b97b33c65
Diffstat (limited to 'fleet/modules/web.nix')
-rw-r--r-- | fleet/modules/web.nix | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/fleet/modules/web.nix b/fleet/modules/web.nix new file mode 100644 index 0000000..709b1e4 --- /dev/null +++ b/fleet/modules/web.nix @@ -0,0 +1,46 @@ +# SPDX-FileCopyrightText: V <v@unfathomable.blue> +# SPDX-License-Identifier: OSL-3.0 + +{ lib, pkgs, ... }: + +{ + services.caddy = { + enable = true; + + # Snippets must be defined before they are used, so the mkBefore ensures they come first. + config = lib.mkBefore '' + (all) { + log { + output file /var/log/caddy/access.log + } + header -Server + } + + http:// { + import all + redir https://{host}{uri} 308 + } + + (common) { + import all + + encode zstd gzip + + header { + Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" + Content-Security-Policy "script-src 'none'; object-src 'none'" + Permissions-Policy "interest-cohort=()" + X-Clacks-Overhead "GNU Terry Pratchett" + } + + handle_errors { + respond "{http.error.status_code} {http.error.status_text}" + } + } + ''; + }; + + systemd.services.caddy.serviceConfig.LogsDirectory = "caddy"; + + networking.firewall.interfaces.ens3.allowedTCPPorts = [ 80 443 ]; +} |