linde: extract git server setup to own file

1 files changed, 47 insertions, 0 deletions

diff --git a/lib/caddy.nix b/lib/caddy.nix
new file mode 100644
index 00000000..42777eeb
--- /dev/null
+++ b/lib/caddy.nix
@@ -0,0 +1,47 @@
+{ lib
+, ...
+}:
+rec {
+  subValue = v:
+    if builtins.isList v
+    then
+      builtins.concatStringsSep " "
+        (builtins.map
+          (v:
+            (if lib.strings.hasPrefix "http" v
+            then v
+            else "'${v}'"))
+          v)
+    else toString v;
+
+  headerValue = sep: val:
+    if builtins.isAttrs val
+    then
+      builtins.concatStringsSep "; "
+        (lib.attrsets.mapAttrsToList
+          (k: v:
+            if builtins.isBool v then k else
+            "${k}${sep}${subValue v}"
+          )
+          val)
+    else toString val;
+  genHeader = header:
+    let
+      sep = if header == "content-security-policy" then " " else "=";
+    in
+    value: "${header} \"${headerValue sep value}\"";
+
+  headers = matcher: headers: ''
+    header ${matcher} {
+      ${builtins.concatStringsSep "\n"
+        (lib.attrsets.mapAttrsToList genHeader headers)}
+    }
+  '';
+  security-headers = { matcher ? "", overrides ? { } }: headers matcher ({
+    strict-transport-security = {
+      max-age = 2 * 365 * 24 * 60 * 60;
+    };
+    x-content-type-options = "nosniff";
+    x-frame-options = "DENY";
+  } // overrides);
+}