all repos — nixfiles @ 0741f0290ee5e7082ff421921583ff9ad8ec6f1e

System and user configuration, managed by nix and home-manager

lib/caddy.nix (view raw)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
{
  lib,
  ...
}:
rec {
  subValue =
    v:
    if builtins.isList v then
      builtins.concatStringsSep " " (
        builtins.map (v: (if lib.strings.hasPrefix "http" v then v else "'${v}'")) v
      )
    else
      toString v;

  headerValue =
    sep: val:
    if builtins.isAttrs val then
      builtins.concatStringsSep "; " (
        lib.attrsets.mapAttrsToList (k: v: if builtins.isBool v then k else "${k}${sep}${subValue v}") val
      )
    else
      toString val;
  genHeader =
    header:
    let
      sep = if header == "content-security-policy" then " " else "=";
    in
    value: "${header} \"${headerValue sep value}\"";

  headers = matcher: headers: ''
    header ${matcher} {
      ${builtins.concatStringsSep "\n" (lib.attrsets.mapAttrsToList genHeader headers)}
    }
  '';
  security-headers =
    {
      matcher ? "",
      overrides ? { },
    }:
    headers matcher (
      {
        strict-transport-security = {
          max-age = 2 * 365 * 24 * 60 * 60;
        };
        x-content-type-options = "nosniff";
        x-frame-options = "DENY";
      }
      // overrides
    );
}