From d1dc2a39843066a2f386bf372d8871d52a166244 Mon Sep 17 00:00:00 2001
From: RGBCube <git@rgbcu.be>
Date: Sun, 23 Feb 2025 20:37:20 +0300
Subject: [PATCH] fix: fix grafana headers

---
 hosts/cube/grafana/default.nix | 13 ++++++-------
 modules/nginx.nix              |  2 +-
 2 files changed, 7 insertions(+), 8 deletions(-)

diff --git a/hosts/cube/grafana/default.nix b/hosts/cube/grafana/default.nix
index 9ddce24..4fce230 100644
--- a/hosts/cube/grafana/default.nix
+++ b/hosts/cube/grafana/default.nix
@@ -69,14 +69,13 @@ in {
   };
 
   services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
-    extraConfig = /* nginx */ ''
-      # Grafana sets `nosniff` while not setting the content type properly,
-      # so everything breaks with it. Unset the header.
-      ${config.services.nginx.headers}
-      add_header X-Content-Type-Options "" always;
-    '';
-
     locations."/" = {
+      extraConfig =  /* nginx */ ''
+        # Grafana sets `nosniff` while not setting the content type properly,
+        # so everything breaks with it. Unset the header.
+        proxy_hide_header X-Content-Type-Options;
+      '';
+
       proxyPass       = "http://[::1]:${toString port}";
       proxyWebsockets = true;
     };
diff --git a/modules/nginx.nix b/modules/nginx.nix
index 1f9255d..3ab0699 100644
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@@ -16,7 +16,7 @@ in {
 
     add_header Strict-Transport-Security $hsts_header always;
 
-    add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'; object-src 'none'; base-uri 'none';" always;
+    add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'; object-src 'self'; base-uri 'self';" always;
 
     add_header Referrer-Policy no-referrer always;