Serve element-web directly from web-public-2

flake.nix

@@ -46,22 +46,6 @@
       };
     } // builtins.mapAttrs (self.generateColmenaHost) self.hosts;
 
-    /* generateNixosSystem = {
-      name,
-      system ? "x86_64-linux",
-      group ? null,
-      modules ? [],
-    }: 
-    let localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs;
-    in localNixpkgs.lib.nixosSystem {
-      modules = modules ++ [
-        ./configuration/common
-        ./users/yuri
-        ./users/colmena-deploy
-        (./hosts + "/${name}")
-      ];
-    }; */
-
     hydraJobs = {
       nixConfigurations.nitter = let system = "x86_64-linux";
       in nixpkgs.lib.nixosSystem {

hosts/web-public-2/virtualHosts/element-web-config/config.json

@@ -0,0 +1,48 @@
+{
+    "default_server_config": {
+        "m.homeserver": {
+            "base_url": "https://matrix.nekover.se",
+            "server_name": "Nekoverse"
+        },
+        "m.identity_server": {
+            "base_url": "https://vector.im"
+        }
+    },
+    "disable_custom_urls": false,
+    "disable_guests": false,
+    "disable_login_language_selector": false,
+    "disable_3pid_login": false,
+    "brand": "Element",
+    "integrations_ui_url": "https://scalar.vector.im/",
+    "integrations_rest_url": "https://scalar.vector.im/api",
+    "integrations_widgets_urls": [
+        "https://scalar.vector.im/_matrix/integrations/v1",
+        "https://scalar.vector.im/api",
+        "https://scalar-staging.vector.im/_matrix/integrations/v1",
+        "https://scalar-staging.vector.im/api",
+        "https://scalar-staging.riot.im/scalar/api"
+    ],
+    "bug_report_endpoint_url": "https://element.io/bugreports/submit",
+    "uisi_autorageshake_app": "element-auto-uisi",
+    "defaultCountryCode": "DE",
+    "showLabsSettings": true,
+    "features": { },
+    "default_federate": true,
+    "default_theme": "dark",
+    "roomDirectory": {
+        "servers": [
+            "matrix.org"
+        ]
+    },
+    "piwik": false,
+    "enable_presence_by_hs_url": {
+        "https://matrix.org": false,
+        "https://matrix-client.matrix.org": false
+    },
+    "settingDefaults": {
+        "breadcrumbs": true
+    },
+    "jitsi": {
+        "preferredDomain": "meet.element.io"
+    }
+}

hosts/web-public-2/virtualHosts/element.nekover.se.nix

@@ -1,12 +1,25 @@
-{ ... }:
+{ pkgs, ... }:
+let
+  element-web = pkgs.fetchzip {
+    url = "https://github.com/vector-im/element-web/releases/download/v1.11.36/element-v1.11.36.tar.gz";
+    sha256 = "sha256-HbKqfcYH3JWbrAeaYCF/Lg7D7bl5VSgsitxKQdvf+Oc=";
+  };
+in
 {
   services.nginx.virtualHosts."element.nekover.se" = {
     forceSSL = true;
     enableACME = true;
+    root = pkgs.buildEnv {
+      name = "element-web";
+      paths = [
+        element-web
+        ./element-web-config
+      ];
+    };
     listen = [
       {
-        addr = "0.0.0.0";
+        addr = "localhost";
-        port = 80;
+        port = 1234;
       }
       {
         addr = "localhost";
@@ -15,19 +28,56 @@
         proxyProtocol = true;
       }
     ];
-    locations."/" = {
+
-      proxyPass = "http://element.vs.grzb.de";
+    # Set no-cache for the version, config and index.html
-      recommendedProxySettings = false;
+    # so that browsers always check for a new copy of Element Web.
-      extraConfig = ''
+    # NB http://your-domain/ and http://your-domain/? are also covered by this
-        proxy_set_header X-Forwarded-For $remote_addr;
+
-        proxy_set_header X-Forwarded-Proto $scheme;
+    locations."= /index.html" = {
-      '';
-    };
       extraConfig = ''
+        add_header Cache-Control "no-cache";
         add_header X-Frame-Options SAMEORIGIN;
         add_header X-Content-Type-Options nosniff;
         add_header X-XSS-Protection "1; mode=block";
         add_header Content-Security-Policy "frame-ancestors 'none'";
+        add_header Strict-Transport-Security "max-age=63072000" always;
+      '';
+    };
+    locations."= /version" = {
+      extraConfig = ''
+        add_header Cache-Control "no-cache";
+        add_header X-Frame-Options SAMEORIGIN;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Content-Security-Policy "frame-ancestors 'none'";
+        add_header Strict-Transport-Security "max-age=63072000" always;
+      '';
+    };
+    # covers config.json and config.hostname.json requests as it is prefix.
+    locations."/config" = {
+      extraConfig = ''
+        add_header Cache-Control "no-cache";
+        add_header X-Frame-Options SAMEORIGIN;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Content-Security-Policy "frame-ancestors 'none'";
+        add_header Strict-Transport-Security "max-age=63072000" always;
+      '';
+    };
+    extraConfig = ''
+      index  index.html;
+
+		  # Configuration best practices
+		  # See: https://github.com/vector-im/element-web/tree/develop#configuration-best-practices
+      add_header X-Frame-Options SAMEORIGIN;
+      add_header X-Content-Type-Options nosniff;
+      add_header X-XSS-Protection "1; mode=block";
+      add_header Content-Security-Policy "frame-ancestors 'none'";
+
+      add_header Strict-Transport-Security "max-age=63072000" always;
+
+      # redirect server error pages to the static page /50x.html
+      error_page   500 502 503 504  /50x.html;
     '';
   };
 }