From b32bf5bbd6ab2d493df866b0e6f7ecc83b731eaa Mon Sep 17 00:00:00 2001
From: Alan Pearce
Date: Fri, 7 Jun 2024 10:04:16 +0200
Subject: linde: extract git server setup to own file

---
 lib/caddy.nix | 47 +++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 47 insertions(+)
 create mode 100644 lib/caddy.nix

(limited to 'lib')

diff --git a/lib/caddy.nix b/lib/caddy.nix
new file mode 100644
index 00000000..42777eeb
--- /dev/null
+++ b/lib/caddy.nix
@@ -0,0 +1,47 @@
+{ lib
+, ...
+}:
+rec {
+  subValue = v:
+    if builtins.isList v
+    then
+      builtins.concatStringsSep " "
+        (builtins.map
+          (v:
+            (if lib.strings.hasPrefix "http" v
+            then v
+            else "'${v}'"))
+          v)
+    else toString v;
+
+  headerValue = sep: val:
+    if builtins.isAttrs val
+    then
+      builtins.concatStringsSep "; "
+        (lib.attrsets.mapAttrsToList
+          (k: v:
+            if builtins.isBool v then k else
+            "${k}${sep}${subValue v}"
+          )
+          val)
+    else toString val;
+  genHeader = header:
+    let
+      sep = if header == "content-security-policy" then " " else "=";
+    in
+    value: "${header} \"${headerValue sep value}\"";
+
+  headers = matcher: headers: ''
+    header ${matcher} {
+      ${builtins.concatStringsSep "\n"
+        (lib.attrsets.mapAttrsToList genHeader headers)}
+    }
+  '';
+  security-headers = { matcher ? "", overrides ? { } }: headers matcher ({
+    strict-transport-security = {
+      max-age = 2 * 365 * 24 * 60 * 60;
+    };
+    x-content-type-options = "nosniff";
+    x-frame-options = "DENY";
+  } // overrides);
+}
-- 
cgit 1.4.1