add default headers to caddy config and git vhost

2 files changed, 28 insertions, 0 deletions

diff --git a/hosts/vps/git.nix b/hosts/vps/git.nix
index 9d50865..cf05aae 100644
--- a/hosts/vps/git.nix
+++ b/hosts/vps/git.nix
@@ -21,6 +21,8 @@
       caddy = {
         virtualHosts."http://100.67.217.90".extraConfig = ''
           bind 100.67.217.90
+          ${config.website.defaultHeaders}
+          header -Server
           handle /cgit.png {
             root * ${pkgs.cgit}/cgit
             file_server
diff --git a/hosts/vps/website.nix b/hosts/vps/website.nix
index fd7f71c..5d767c5 100644
--- a/hosts/vps/website.nix
+++ b/hosts/vps/website.nix
@@ -1,8 +1,34 @@
 {
   pkgs,
   config,
+  lib,
   ...
 }: {
+  options.website.defaultHeaders = lib.mkOption {
+    type = lib.types.str;
+    default = ''
+      header {
+        -Server
+        # disable indexing by search engines
+
+        X-Robots-Tag "noindex, nofollow"
+        # disable FLoC tracking
+        Permissions-Policy interest-cohort=()
+
+        # enable HSTS
+        Strict-Transport-Security max-age=31536000;
+
+        # disable clients from sniffing the media type
+        X-Content-Type-Options nosniff
+
+        # clickjacking protection
+        X-Frame-Options DENY
+
+        # keep referrer data off of HTTP connections
+        Referrer-Policy no-referrer-when-downgrade
+      }
+    '';
+  };
   config = {
     services.caddy = {
       enable = true;