ryan.freumh.org / eilean-nix
Self-host your own digital island
fork atom

security updates

Ryan Gibb 6663440b ae558fdc

options
unified split
Changed files
+8 -8
modules
dns.nix
matrix.nix
-6
modules/dns.nix 
···

       
39

       
39

       
 

       
      ]) cfg.dns.nameservers ++


     

       
40

       
40

       
 

       
      [


     

       
41

       
41

       
 

       
        {


     

       
42

       

       
-

       
          name = "www";


     

       
43

       

       
-

       
          type = "CNAME";


     

       
44

       

       
-

       
          data = "@";


     

       
45

       

       
-

       
        }


     

       
46

       

       
-

       



     

       
47

       

       
-

       
        {


     

       
48

       
42

       
 

       
          name = "@";


     

       
49

       
43

       
 

       
          type = "A";


     

       
50

       
44

       
 

       
          data = cfg.serverIpv4;
+8 -2
modules/matrix.nix 
···

       
44

       
44

       
 

       
              # the client-server and server-server port for simplicity


     

       
45

       
45

       
 

       
              server = { "m.server" = "matrix.${config.networking.domain}:443"; };


     

       
46

       
46

       
 

       
            in ''


     

       
47

       

       
-

       
              add_header Content-Type application/json;


     

       

       
47

       
+

       
              default_type application/json;


     

       
48

       
48

       
 

       
              return 200 '${builtins.toJSON server}';


     

       
49

       
49

       
 

       
            '';


     

       
50

       
50

       
 

       
          locations."= /.well-known/matrix/client".extraConfig =


     
···

       
54

       
54

       
 

       
                "m.identity_server" =  { "base_url" = "https://vector.im"; };


     

       
55

       
55

       
 

       
              };


     

       
56

       
56

       
 

       
            # ACAO required to allow element-web on any URL to request this json file


     

       

       
57

       
+

       
            # set other headers due to https://github.com/yandex/gixy/blob/master/docs/en/plugins/addheaderredefinition.md


     

       
57

       
58

       
 

       
            in ''


     

       
58

       

       
-

       
              add_header Content-Type application/json;


     

       

       
59

       
+

       
              default_type application/json;


     

       
59

       
60

       
 

       
              add_header Access-Control-Allow-Origin *;


     

       

       
61

       
+

       
              add_header Strict-Transport-Security max-age=31536000 always;


     

       

       
62

       
+

       
              add_header X-Frame-Options SAMEORIGIN always;


     

       

       
63

       
+

       
              add_header X-Content-Type-Options nosniff always;


     

       

       
64

       
+

       
              add_header Content-Security-Policy "default-src 'self'; base-uri 'self'; frame-src 'self'; frame-ancestors 'self'; form-action 'self';" always;


     

       

       
65

       
+

       
              add_header Referrer-Policy 'same-origin';


     

       
60

       
66

       
 

       
              return 200 '${builtins.toJSON client}';


     

       
61

       
67

       
 

       
            '';


     

       
62

       
68

       
 

       
        };