Serve element-web directly from web-public-2

2023-07-25 22:10:04 +02:00 · 2023-07-25 22:10:04 +02:00 · bff3ca1445
parent bd159f7535
commit bff3ca1445
3 changed files with 106 additions and 24 deletions
--- a/flake.nix
+++ b/flake.nix
@ -46,22 +46,6 @@
      };
    } // builtins.mapAttrs (self.generateColmenaHost) self.hosts;

-    /* generateNixosSystem = {
-      name,
-      system ? "x86_64-linux",
-      group ? null,
-      modules ? [],
-    }: 
-    let localNixpkgs = nixpkgs.lib.attrByPath [ "nixpkgs-${name}" ] nixpkgs inputs;
-    in localNixpkgs.lib.nixosSystem {
-      modules = modules ++ [
-        ./configuration/common
-        ./users/yuri
-        ./users/colmena-deploy
-        (./hosts + "/${name}")
-      ];
-    }; */
-
    hydraJobs = {
      nixConfigurations.nitter = let system = "x86_64-linux";
      in nixpkgs.lib.nixosSystem {
--- a/hosts/web-public-2/virtualHosts/element-web-config/config.json
+++ b/hosts/web-public-2/virtualHosts/element-web-config/config.json
@ -0,0 +1,48 @@
+{
+    "default_server_config": {
+        "m.homeserver": {
+            "base_url": "https://matrix.nekover.se",
+            "server_name": "Nekoverse"
+        },
+        "m.identity_server": {
+            "base_url": "https://vector.im"
+        }
+    },
+    "disable_custom_urls": false,
+    "disable_guests": false,
+    "disable_login_language_selector": false,
+    "disable_3pid_login": false,
+    "brand": "Element",
+    "integrations_ui_url": "https://scalar.vector.im/",
+    "integrations_rest_url": "https://scalar.vector.im/api",
+    "integrations_widgets_urls": [
+        "https://scalar.vector.im/_matrix/integrations/v1",
+        "https://scalar.vector.im/api",
+        "https://scalar-staging.vector.im/_matrix/integrations/v1",
+        "https://scalar-staging.vector.im/api",
+        "https://scalar-staging.riot.im/scalar/api"
+    ],
+    "bug_report_endpoint_url": "https://element.io/bugreports/submit",
+    "uisi_autorageshake_app": "element-auto-uisi",
+    "defaultCountryCode": "DE",
+    "showLabsSettings": true,
+    "features": { },
+    "default_federate": true,
+    "default_theme": "dark",
+    "roomDirectory": {
+        "servers": [
+            "matrix.org"
+        ]
+    },
+    "piwik": false,
+    "enable_presence_by_hs_url": {
+        "https://matrix.org": false,
+        "https://matrix-client.matrix.org": false
+    },
+    "settingDefaults": {
+        "breadcrumbs": true
+    },
+    "jitsi": {
+        "preferredDomain": "meet.element.io"
+    }
+}
--- a/hosts/web-public-2/virtualHosts/element.nekover.se.nix
+++ b/hosts/web-public-2/virtualHosts/element.nekover.se.nix
@ -1,12 +1,25 @@
-{ ... }:
+{ pkgs, ... }:
+let
+  element-web = pkgs.fetchzip {
+    url = "https://github.com/vector-im/element-web/releases/download/v1.11.36/element-v1.11.36.tar.gz";
+    sha256 = "sha256-HbKqfcYH3JWbrAeaYCF/Lg7D7bl5VSgsitxKQdvf+Oc=";
+  };
+in
 {
  services.nginx.virtualHosts."element.nekover.se" = {
    forceSSL = true;
    enableACME = true;
+    root = pkgs.buildEnv {
+      name = "element-web";
+      paths = [
+        element-web
+        ./element-web-config
+      ];
+    };
    listen = [
      {
-        addr = "0.0.0.0";
-        port = 80;
+        addr = "localhost";
+        port = 1234;
      }
      {
        addr = "localhost";
@ -15,19 +28,56 @@
        proxyProtocol = true;
      }
    ];
-    locations."/" = {
-      proxyPass = "http://element.vs.grzb.de";
-      recommendedProxySettings = false;
+
+    # Set no-cache for the version, config and index.html
+    # so that browsers always check for a new copy of Element Web.
+    # NB http://your-domain/ and http://your-domain/? are also covered by this
+
+    locations."= /index.html" = {
      extraConfig = ''
-        proxy_set_header X-Forwarded-For $remote_addr;
-        proxy_set_header X-Forwarded-Proto $scheme;
+        add_header Cache-Control "no-cache";
+        add_header X-Frame-Options SAMEORIGIN;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Content-Security-Policy "frame-ancestors 'none'";
+        add_header Strict-Transport-Security "max-age=63072000" always;
+      '';
+    };
+    locations."= /version" = {
+      extraConfig = ''
+        add_header Cache-Control "no-cache";
+        add_header X-Frame-Options SAMEORIGIN;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Content-Security-Policy "frame-ancestors 'none'";
+        add_header Strict-Transport-Security "max-age=63072000" always;
+      '';
+    };
+    # covers config.json and config.hostname.json requests as it is prefix.
+    locations."/config" = {
+      extraConfig = ''
+        add_header Cache-Control "no-cache";
+        add_header X-Frame-Options SAMEORIGIN;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1; mode=block";
+        add_header Content-Security-Policy "frame-ancestors 'none'";
+        add_header Strict-Transport-Security "max-age=63072000" always;
      '';
    };
    extraConfig = ''
+      index  index.html;
+
+		  # Configuration best practices
+		  # See: https://github.com/vector-im/element-web/tree/develop#configuration-best-practices
      add_header X-Frame-Options SAMEORIGIN;
      add_header X-Content-Type-Options nosniff;
      add_header X-XSS-Protection "1; mode=block";
      add_header Content-Security-Policy "frame-ancestors 'none'";
+
+      add_header Strict-Transport-Security "max-age=63072000" always;
+
+      # redirect server error pages to the static page /50x.html
+      error_page   500 502 503 504  /50x.html;
    '';
  };
 }