Infinidoge/universe
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Infini-DL360/web: extract csp to nix

Browse source
This commit is contained in:
Infinidoge 2025-05-20 23:50:49 -04:00
parent 72edab5e19
commit 8f8364e258
Signed by: Infinidoge
SSH key fingerprint: SHA256:EMoPe5e2dO0gEvtBb2xkZTz5dkyL0rBmuiGTKG5s96E
1 changed files with 32 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

33
hosts/Infini-DL360/web.nix
View file

@ -8,6 +8,37 @@
with common.nginx; with common.nginx;
let let
tryFiles = "$uri $uri.html $uri/ =404"; tryFiles = "$uri $uri.html $uri/ =404";
csp = rec {
default-src = [
"'self'"
"'unsafe-inline'"
];
frame-ancestors = [
"'self'"
];
script-src = default-src ++ [
"storage.ko-fi.com"
];
style-src = default-src ++ [
"fonts.googleapis.com"
];
img-src = [
"'self'"
"storage.ko-fi.com"
];
font-src = [
"'self'"
"fonts.gstatic.com"
];
frame-src = [
"'self'"
"github.com"
];
};
cspString = lib.concatStringsSep " " (
lib.mapAttrsToList (kind: locations: "${kind} ${lib.concatStringsSep " " locations};") csp
);
websiteConfig = '' websiteConfig = ''
error_page 403 /403.html; error_page 403 /403.html;
error_page 404 /404.html; error_page 404 /404.html;
@ -18,7 +49,7 @@ let
location ~* "\.(nix|lock)" { deny all; } location ~* "\.(nix|lock)" { deny all; }
location ~ "/\..+" { deny all; } location ~ "/\..+" { deny all; }
add_header Content-Security-Policy "default-src 'self' inx.moe files.inx.moe; frame-ancestors 'self' https://inx.moe; script-src 'self' inx.moe files.inx.moe storage.ko-fi.com; frame-src 'self' inx.moe files.inx.moe github.com;"; add_header Content-Security-Policy "${cspString}";
add_header X-Content-Type-Options "nosniff;"; add_header X-Content-Type-Options "nosniff;";
''; '';