lib/caddy.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

{ lib
, ...
}:
rec {
  subValue = v:
    if builtins.isList v
    then
      builtins.concatStringsSep " "
        (builtins.map
          (v:
            (if lib.strings.hasPrefix "http" v
            then v
            else "'${v}'"))
          v)
    else toString v;

  headerValue = sep: val:
    if builtins.isAttrs val
    then
      builtins.concatStringsSep "; "
        (lib.attrsets.mapAttrsToList
          (k: v:
            if builtins.isBool v then k else
            "${k}${sep}${subValue v}"
          )
          val)
    else toString val;
  genHeader = header:
    let
      sep = if header == "content-security-policy" then " " else "=";
    in
    value: "${header} \"${headerValue sep value}\"";

  headers = matcher: headers: ''
    header ${matcher} {
      ${builtins.concatStringsSep "\n"
        (lib.attrsets.mapAttrsToList genHeader headers)}
    }
  '';
  security-headers = { matcher ? "", overrides ? { } }: headers matcher ({
    strict-transport-security = {
      max-age = 2 * 365 * 24 * 60 * 60;
    };
    x-content-type-options = "nosniff";
    x-frame-options = "DENY";
  } // overrides);
}