diff --git a/modules/nginx.nix b/modules/nginx.nix index cb4f287..09e4487 100644 --- a/modules/nginx.nix +++ b/modules/nginx.nix @@ -1,4 +1,5 @@ { config, lib, pkgs, ... }: let + inherit (config.networking) domain; inherit (lib) enabled mkConst; in { options.nginxSslTemplate = mkConst { @@ -8,6 +9,10 @@ in { }; options.nginxHeaders = mkConst '' + # TODO: Not working for some reason. + add_header Access-Control-Allow-Origin $allow_origin; + add_header Access-Control-Allow-Methods $allow_methods; + add_header Strict-Transport-Security $hsts_header; add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always; @@ -48,6 +53,14 @@ in { https "max-age=31536000; includeSubdomains; preload"; } + map $http_origin $allow_origin { + ~^https://.+\.${domain}$ $http_origin; + } + + map $http_origin $allow_methods { + ~^https://.+\.${domain}$ "GET, HEAD, OPTIONS"; + } + ${config.nginxHeaders} proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; diff --git a/modules/site.nix b/modules/site.nix index 9416f33..6705a04 100644 --- a/modules/site.nix +++ b/modules/site.nix @@ -10,33 +10,14 @@ }; in { services.nginx = enabled { - appendHttpConfig = '' - map $http_origin $allow_origin { - ~^https://.+\.${domain}$ $http_origin; - } - - map $http_origin $allow_methods { - ~^https://.+\.${domain}$ "GET, HEAD, OPTIONS"; - } - ''; - virtualHosts.${domain} = merge config.nginxSslTemplate notFoundLocationConfig { root = sitePath; locations."/".tryFiles = "$uri $uri.html $uri/index.html =404"; - locations."/assets/".extraConfig = let - nginxHeaders' = '' - add_header Access-Control-Allow-Origin $allow_origin; - add_header Access-Control-Allow-Methods $allow_methods; - ''; - in '' - ${config.nginxHeaders} - ${nginxHeaders'} - + locations."/assets/".extraConfig = '' if ($request_method = OPTIONS) { ${config.nginxHeaders} - ${nginxHeaders'} add_header Content-Type text/plain; add_header Content-Length 0; return 204;