diff options
Diffstat (limited to 'fleet/modules/web.nix')
| -rw-r--r-- | fleet/modules/web.nix | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/fleet/modules/web.nix b/fleet/modules/web.nix new file mode 100644 index 0000000..709b1e4 --- /dev/null +++ b/fleet/modules/web.nix @@ -0,0 +1,46 @@ +# SPDX-FileCopyrightText: V <v@unfathomable.blue> +# SPDX-License-Identifier: OSL-3.0 + +{ lib, pkgs, ... }: + +{ + services.caddy = { + enable = true; + + # Snippets must be defined before they are used, so the mkBefore ensures they come first. + config = lib.mkBefore '' + (all) { + log { + output file /var/log/caddy/access.log + } + header -Server + } + + http:// { + import all + redir https://{host}{uri} 308 + } + + (common) { + import all + + encode zstd gzip + + header { + Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" + Content-Security-Policy "script-src 'none'; object-src 'none'" + Permissions-Policy "interest-cohort=()" + X-Clacks-Overhead "GNU Terry Pratchett" + } + + handle_errors { + respond "{http.error.status_code} {http.error.status_text}" + } + } + ''; + }; + + systemd.services.caddy.serviceConfig.LogsDirectory = "caddy"; + + networking.firewall.interfaces.ens3.allowedTCPPorts = [ 80 443 ]; +} |