diff --git a/hosts/best/cinny.nix b/hosts/best/cinny.nix new file mode 100644 index 0000000..8e99ed1 --- /dev/null +++ b/hosts/best/cinny.nix @@ -0,0 +1,78 @@ +{ config, lib, pkgs, ... }: let + inherit (lib) flip merge; + + fqdn = "cinny.rgbcu.be"; + root = pkgs.cinny; +in { + nixpkgs.overlays = [(self: super: { + cinny-unwrapped = flip self.callPackage {} ({ + lib, + buildNpmPackage, + fetchFromGitHub, + giflib, + python3, + pkg-config, + pixman, + cairo, + pango, + stdenv, + }: + + buildNpmPackage { + pname = "cinny"; + version = "4.8.0"; + + src = fetchFromGitHub { + owner = "RGBCube"; + repo = "cinny"; + rev = "becc5f65820c6bf0d9acf3ddf5519519c3e174ad"; + hash = "sha256-Ym7BzkWjwR+ojP5jGBeHJeH03PZFuiME54RILR7pDqs="; + }; + + npmDepsHash = "sha256-LZLaaFL7vmFos3TCL4brT6gyEpZFjctsag6uH4CQPdI="; + + nativeBuildInputs = [ + python3 + pkg-config + ]; + + buildInputs = [ + pixman + cairo + pango + ] ++ lib.optionals stdenv.hostPlatform.isDarwin [ giflib ]; + + installPhase = '' + runHook preInstall + + cp -r dist $out + + runHook postInstall + ''; + + meta = { + description = "Yet another Matrix client for the web"; + homepage = "https://cinny.in/"; + license = lib.licenses.agpl3Only; + platforms = lib.platforms.all; + }; + }); + })]; + + services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate { + inherit root; + + extraConfig = /* nginx */ '' + rewrite ^/config.json$ /config.json break; + rewrite ^/manifest.json$ /manifest.json break; + + rewrite ^/sw.js$ /sw.js break; + rewrite ^/pdf.worker.min.js$ /pdf.worker.min.js break; + + rewrite ^/public/(.*)$ /public/$1 break; + rewrite ^/assets/(.*)$ /assets/$1 break; + + rewrite ^(.+)$ /index.html break; + ''; + }; +} diff --git a/hosts/best/forgejo.nix b/hosts/best/forgejo.nix index 10398ad..d9ac998 100644 --- a/hosts/best/forgejo.nix +++ b/hosts/best/forgejo.nix @@ -111,9 +111,7 @@ in { }; services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate { - extraConfig = '' - ${config.services.plausible.extraNginxConfigFor fqdn} - ''; + extraConfig = config.services.plausible.extraNginxConfigFor fqdn; locations."/".proxyPass = "http://[::1]:${toString port}"; }; diff --git a/hosts/best/matrix/default.nix b/hosts/best/matrix/default.nix index a32a9e0..7e27ef8 100644 --- a/hosts/best/matrix/default.nix +++ b/hosts/best/matrix/default.nix @@ -7,7 +7,7 @@ port = 8002; wellKnownResponse = data: /* nginx */ '' - ${config.services.nginx.headers} + ${config.services.nginx.headersNoAccessControlOrigin} add_header Access-Control-Allow-Origin * always; default_type application/json; diff --git a/modules/nginx.nix b/modules/nginx.nix index 0bf98ca..87a80fd 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -11,15 +11,26 @@ in { }; options.services.nginx.headers = mkConst /* nginx */ '' + proxy_hide_header Access-Control-Allow-Origin; add_header Access-Control-Allow-Origin $allow_origin always; + + ${config.services.nginx.headersNoAccessControlOrigin} + ''; + + options.services.nginx.headersNoAccessControlOrigin = mkConst /* nginx */ '' + proxy_hide_header Access-Control-Allow-Methods; add_header Access-Control-Allow-Methods $allow_methods always; + proxy_hide_header Strict-Transport-Security; add_header Strict-Transport-Security $hsts_header always; + proxy_hide_header Content-Security-Policy; add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain}; object-src 'self' ${domain} *.${domain}; base-uri 'self';" always; + proxy_hide_header Referrer-Policy; add_header Referrer-Policy no-referrer always; + proxy_hide_header X-Frame-Options; add_header X-Frame-Options DENY always; ''; @@ -52,7 +63,6 @@ in { https "max-age=31536000; includeSubdomains; preload"; } - # FIXME: These two aren't working. map $http_origin $allow_origin { ~^https://.+\.${domain}$ $http_origin; }