{ pkgs, ... }:
let
elementWebVersion = "1.11.49";
element-web = pkgs.fetchzip {
url = "https://github.com/vector-im/element-web/releases/download/v${elementWebVersion}/element-v${elementWebVersion}.tar.gz";
sha256 = "sha256-0w503Y4hgG6eFMuMMQyHjuMhyc+T4Rq1a5VDZN3POQc=";
};
elementWebSecurityHeaders = ''
# Configuration best practices
# See: https://github.com/vector-im/element-web/tree/develop#configuration-best-practices
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Content-Security-Policy "frame-ancestors 'self'";
add_header Strict-Transport-Security "max-age=63072000" always;
'';
in
{
services.nginx.virtualHosts."element.nekover.se" = {
forceSSL = true;
enableACME = true;
root = pkgs.buildEnv {
name = "element-web";
paths = [
element-web
./element-web-config
];
};
listen = [{
addr = "localhost";
port = 8443;
ssl = true;
extraParameters = ["proxy_protocol"];
}];
# Set no-cache for the version, config and index.html
# so that browsers always check for a new copy of Element Web.
# NB http://your-domain/ and http://your-domain/? are also covered by this
locations."= /index.html" = {
extraConfig = elementWebSecurityHeaders + ''
add_header Cache-Control "no-cache";
'';
};
locations."= /version" = {
extraConfig = elementWebSecurityHeaders + ''
add_header Cache-Control "no-cache";
'';
};
# covers config.json and config.hostname.json requests as it is prefix.
locations."/config" = {
extraConfig = elementWebSecurityHeaders + ''
add_header Cache-Control "no-cache";
'';
};
extraConfig = elementWebSecurityHeaders + ''
index index.html;
# redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
set_real_ip_from 127.0.0.1;
real_ip_header proxy_protocol;
'';
};
}