Update element-web and clean up configuration

2023-10-10 14:19:35 +02:00 · 2023-10-10 14:19:35 +02:00 · 15963fd37e
parent 406a23a01f
commit 15963fd37e
1 changed files with 23 additions and 42 deletions
--- a/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
+++ b/config/hosts/web-public-2/virtualHosts/element.nekover.se.nix
@ -1,9 +1,20 @@
 { pkgs, ... }:
 let
+  elementWebVersion = "1.11.46";
  element-web = pkgs.fetchzip {
-    url = "https://github.com/vector-im/element-web/releases/download/v1.11.43/element-v1.11.43.tar.gz";
-    sha256 = "sha256-MxUu5dFf4RL0crQol4hG6gNE+9Qu5/vBWdpf0ENaFV0=";
+    url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
+    sha256 = "sha256-EQ6a8WK8ILYidbS+0FGzI4XQbZFh+M6Y7eZ28YcsIrg=";
  };
+  elementWebSecurityHeaders = ''
+  	# Configuration best practices
+		# See: https://github.com/vector-im/element-web/tree/develop#configuration-best-practices
+    add_header X-Frame-Options SAMEORIGIN;
+    add_header X-Content-Type-Options nosniff;
+    add_header X-XSS-Protection "1; mode=block";
+    add_header Content-Security-Policy "frame-ancestors 'self'";
+
+    add_header Strict-Transport-Security "max-age=63072000" always;
+  '';
 in
 {
  services.nginx.virtualHosts."element.nekover.se" = {
@ -16,66 +27,36 @@ in
        ./element-web-config
      ];
    };
-    listen = [
-      { 
-        addr = "localhost";
-        port = 1234;
-      } # workaround for enableACME check
-      {
+    listen = [{
      addr = "localhost";
      port = 8443;
      ssl = true;
-        proxyProtocol = true;
-      }
-    ];
+      extraParameters = ["proxy_protocol"];
+    }];

    # Set no-cache for the version, config and index.html
    # so that browsers always check for a new copy of Element Web.
    # NB http://your-domain/ and http://your-domain/? are also covered by this

    locations."= /index.html" = {
-      extraConfig = ''
+      extraConfig = elementWebSecurityHeaders + ''
        add_header Cache-Control "no-cache";
-        add_header X-Frame-Options SAMEORIGIN;
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1; mode=block";
-        add_header Content-Security-Policy "frame-ancestors 'none'";
-        add_header Strict-Transport-Security "max-age=63072000" always;
      '';
    };
    locations."= /version" = {
-      extraConfig = ''
+      extraConfig = elementWebSecurityHeaders + ''
        add_header Cache-Control "no-cache";
-        add_header X-Frame-Options SAMEORIGIN;
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1; mode=block";
-        add_header Content-Security-Policy "frame-ancestors 'none'";
-        add_header Strict-Transport-Security "max-age=63072000" always;
      '';
    };
    # covers config.json and config.hostname.json requests as it is prefix.
    locations."/config" = {
-      extraConfig = ''
+      extraConfig = elementWebSecurityHeaders + ''
        add_header Cache-Control "no-cache";
-        add_header X-Frame-Options SAMEORIGIN;
-        add_header X-Content-Type-Options nosniff;
-        add_header X-XSS-Protection "1; mode=block";
-        add_header Content-Security-Policy "frame-ancestors 'none'";
-        add_header Strict-Transport-Security "max-age=63072000" always;
      '';
    };
-    extraConfig = ''
+    extraConfig = elementWebSecurityHeaders + ''
      index  index.html;

-		  # Configuration best practices
-		  # See: https://github.com/vector-im/element-web/tree/develop#configuration-best-practices
-      add_header X-Frame-Options SAMEORIGIN;
-      add_header X-Content-Type-Options nosniff;
-      add_header X-XSS-Protection "1; mode=block";
-      add_header Content-Security-Policy "frame-ancestors 'self'";
-
-      add_header Strict-Transport-Security "max-age=63072000" always;
-
      # redirect server error pages to the static page /50x.html
      error_page   500 502 503 504  /50x.html;