From 4022922b969772fb6475a13e8a2f12da7afe311d Mon Sep 17 00:00:00 2001
From: Gregor Kleen <gkleen@yggdrasil.li>
Date: Tue, 1 Mar 2022 11:47:50 +0100
Subject: surtr: matrix: ...

---
 hosts/surtr/matrix/default.nix | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

(limited to 'hosts/surtr/matrix')

diff --git a/hosts/surtr/matrix/default.nix b/hosts/surtr/matrix/default.nix
index 936a0528..55adffd3 100644
--- a/hosts/surtr/matrix/default.nix
+++ b/hosts/surtr/matrix/default.nix
@@ -57,6 +57,8 @@ with lib;
           "url_preview_ip_range_whitelist" = [
             "2a03:4000:52:ada::/128"
           ];
+
+          "max_upload_size" = "500M";
         }))
       ];
     };
@@ -112,7 +114,7 @@ with lib;
             add_header Access-Control-Allow-Headers 'X-Requested-With, Content-Type, Authorization';
             add_header Access-Control-Max-Age 7200;
           '';
-        in listToAttrs (map (n: nameValuePair n { proxyPass = "http://matrix-synapse"; }) ["/_matrix" "/_synapse/client" "/_synapse/admin"]) // {
+        in listToAttrs (map (n: nameValuePair n { proxyPass = "http://matrix-synapse"; extraConfig = "client_max_body_size 500M;"; }) ["/_matrix" "/_synapse/client" "/_synapse/admin"]) // {
           "= /.well-known/matrix/server" = {
             extraConfig = ''
               default_type application/json;
@@ -143,6 +145,11 @@ with lib;
         sslTrustedCertificate = "/run/credentials/nginx.service/element.synapse.li.chain.pem";
         extraConfig = ''
           add_header Strict-Transport-Security "max-age=63072000" always;
+          
+          add_header X-Frame-Options SAMEORIGIN;
+          add_header X-Content-Type-Options nosniff;
+          add_header X-XSS-Protection "1; mode=block";
+          add_header Content-Security-Policy "frame-ancestors 'none'";
         '';
 
         root = pkgs.element-web.override {
-- 
cgit v1.2.3