diff options
Diffstat (limited to 'hosts/surtr/matrix/default.nix')
| -rw-r--r-- | hosts/surtr/matrix/default.nix | 40 |
1 files changed, 33 insertions, 7 deletions
diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix index fcebf9c1..7a1b968e 100644 --- a/hosts/surtr/matrix/default.nix +++ b/hosts/surtr/matrix/default.nix | |||
| @@ -141,6 +141,9 @@ with lib; | |||
| 141 | recommendedProxySettings = true; | 141 | recommendedProxySettings = true; |
| 142 | 142 | ||
| 143 | upstreams."matrix-synapse" = { | 143 | upstreams."matrix-synapse" = { |
| 144 | extraConfig = '' | ||
| 145 | keepalive 64; | ||
| 146 | ''; | ||
| 144 | servers = { | 147 | servers = { |
| 145 | "127.0.0.1:8008" = {}; | 148 | "127.0.0.1:8008" = {}; |
| 146 | }; | 149 | }; |
| @@ -175,7 +178,11 @@ with lib; | |||
| 175 | proxyPass = "http://matrix-synapse"; | 178 | proxyPass = "http://matrix-synapse"; |
| 176 | extraConfig = '' | 179 | extraConfig = '' |
| 177 | client_max_body_size 500M; | 180 | client_max_body_size 500M; |
| 181 | |||
| 178 | proxy_pass_header Server; | 182 | proxy_pass_header Server; |
| 183 | |||
| 184 | proxy_http_version 1.1; | ||
| 185 | proxy_set_header "Connection" ""; | ||
| 179 | ''; | 186 | ''; |
| 180 | }) ["/_matrix" "/_synapse/client" "/_synapse/admin"]) // { | 187 | }) ["/_matrix" "/_synapse/client" "/_synapse/admin"]) // { |
| 181 | "= /.well-known/matrix/server" = { | 188 | "= /.well-known/matrix/server" = { |
| @@ -201,7 +208,16 @@ with lib; | |||
| 201 | }; | 208 | }; |
| 202 | }; | 209 | }; |
| 203 | 210 | ||
| 204 | virtualHosts."element.synapse.li" = { | 211 | virtualHosts."element.synapse.li" = let |
| 212 | headerDirectives = '' | ||
| 213 | add_header Strict-Transport-Security "max-age=63072000" always; | ||
| 214 | |||
| 215 | add_header X-Frame-Options SAMEORIGIN always; | ||
| 216 | add_header X-Content-Type-Options nosniff always; | ||
| 217 | add_header X-XSS-Protection "1; mode=block" always; | ||
| 218 | add_header Content-Security-Policy "frame-ancestors 'self'" always; | ||
| 219 | ''; | ||
| 220 | in { | ||
| 205 | forceSSL = true; | 221 | forceSSL = true; |
| 206 | kTLS = true; | 222 | kTLS = true; |
| 207 | http3 = true; | 223 | http3 = true; |
| @@ -209,12 +225,7 @@ with lib; | |||
| 209 | sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem"; | 225 | sslCertificateKey = "/run/credentials/nginx.service/element.synapse.li.key.pem"; |
| 210 | sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; | 226 | sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem"; |
| 211 | extraConfig = '' | 227 | extraConfig = '' |
| 212 | add_header Strict-Transport-Security "max-age=63072000" always; | 228 | error_page 500 502 503 504 /50x.html; |
| 213 | |||
| 214 | add_header X-Frame-Options SAMEORIGIN; | ||
| 215 | add_header X-Content-Type-Options nosniff; | ||
| 216 | add_header X-XSS-Protection "1; mode=block"; | ||
| 217 | add_header Content-Security-Policy "frame-ancestors 'self'"; | ||
| 218 | ''; | 229 | ''; |
| 219 | 230 | ||
| 220 | root = pkgs.element-web.override { | 231 | root = pkgs.element-web.override { |
| @@ -225,6 +236,21 @@ with lib; | |||
| 225 | }; | 236 | }; |
| 226 | }; | 237 | }; |
| 227 | }; | 238 | }; |
| 239 | |||
| 240 | locations = { | ||
| 241 | "= /index.html".extraConfig = '' | ||
| 242 | ${headerDirectives} | ||
| 243 | add_header Cache-Control "no-cache" always; | ||
| 244 | ''; | ||
| 245 | "= /version".extraConfig = '' | ||
| 246 | ${headerDirectives} | ||
| 247 | add_header Cache-Control "no-cache" always; | ||
| 248 | ''; | ||
| 249 | "/config".extraConfig = '' | ||
| 250 | ${headerDirectives} | ||
| 251 | add_header Cache-Control "no-cache" always; | ||
| 252 | ''; | ||
| 253 | }; | ||
| 228 | }; | 254 | }; |
| 229 | }; | 255 | }; |
| 230 | 256 | ||