summary refs log tree commit diff stats
path: root/lib
diff options
context:
space:
mode:
authorAlan Pearce2024-06-07 10:04:16 +0200
committerAlan Pearce2024-06-07 10:31:38 +0200
commitb32bf5bbd6ab2d493df866b0e6f7ecc83b731eaa (patch)
treeeaa83569b25af5d7f0c83c9124a27db724eae80f /lib
parentabbb369ade5c2450e85c0803b47dc6808653951c (diff)
downloadnixfiles-b32bf5bbd6ab2d493df866b0e6f7ecc83b731eaa.tar.lz
nixfiles-b32bf5bbd6ab2d493df866b0e6f7ecc83b731eaa.tar.zst
nixfiles-b32bf5bbd6ab2d493df866b0e6f7ecc83b731eaa.zip
linde: extract git server setup to own file
Diffstat (limited to 'lib')
-rw-r--r--lib/caddy.nix47
1 files changed, 47 insertions, 0 deletions
diff --git a/lib/caddy.nix b/lib/caddy.nix
new file mode 100644
index 00000000..42777eeb
--- /dev/null
+++ b/lib/caddy.nix
@@ -0,0 +1,47 @@
+{ lib
+, ...
+}:
+rec {
+  subValue = v:
+    if builtins.isList v
+    then
+      builtins.concatStringsSep " "
+        (builtins.map
+          (v:
+            (if lib.strings.hasPrefix "http" v
+            then v
+            else "'${v}'"))
+          v)
+    else toString v;
+
+  headerValue = sep: val:
+    if builtins.isAttrs val
+    then
+      builtins.concatStringsSep "; "
+        (lib.attrsets.mapAttrsToList
+          (k: v:
+            if builtins.isBool v then k else
+            "${k}${sep}${subValue v}"
+          )
+          val)
+    else toString val;
+  genHeader = header:
+    let
+      sep = if header == "content-security-policy" then " " else "=";
+    in
+    value: "${header} \"${headerValue sep value}\"";
+
+  headers = matcher: headers: ''
+    header ${matcher} {
+      ${builtins.concatStringsSep "\n"
+        (lib.attrsets.mapAttrsToList genHeader headers)}
+    }
+  '';
+  security-headers = { matcher ? "", overrides ? { } }: headers matcher ({
+    strict-transport-security = {
+      max-age = 2 * 365 * 24 * 60 * 60;
+    };
+    x-content-type-options = "nosniff";
+    x-frame-options = "DENY";
+  } // overrides);
+}