Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/grocy: add new option to configure http security headers #110860

Open
wants to merge 2 commits into
base: master
Choose a base branch
from
Open

nixos/grocy: add new option to configure http security headers #110860

wants to merge 2 commits into from

Conversation

Jakobu5
Copy link
Contributor

@Jakobu5 Jakobu5 commented Jan 26, 2021

Motivation for this change

Manually adding HTTP Security Headers to the configuration with services.nginx.virtualHosts.<grocy-hostname>.extraConfig results in failed build because gixy will complain about Problem: [add_header_redefinition] Nested "add_header" drops parent headers..

With the new option nginx.securityHeaders the user can choose witch headers should be implemented into the nginx configuration of the grocy vhost.

The default value for this option is:

add_header Referrer-Policy no-referrer;
add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options sameorigin;
add_header X-XSS-Protection "1; mode=block";
Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

Ma27
Ma27 reviewed Jan 26, 2021
View reviewed changes
Copy link
Member

@Ma27 Ma27 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Now that I think of it: I'm wondering if we should make gixy more permissive on our end (cc @4z3)

nixos/modules/services/web-apps/grocy.nix Outdated
@@ -24,6 +24,19 @@ in {
'';
};

nginx.securityHeaders = mkOption {
type = types.str;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be types.lines. Otherwise it's not possible to append config add several places.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Changed in c84a308.

nixos/modules/services/web-apps/grocy.nix
@@ -24,6 +24,19 @@ in {
'';
};

nginx.securityHeaders = mkOption {
type = types.str;
default = ''
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is not a good idea: as soon as one adds one other header, the other ones will be removed by default.

Copy link
Contributor Author

@Jakobu5 Jakobu5 Jan 27, 2021
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe the option should be types.bool. If false no headers will be included into the configuration. If true a set of security headers will be included into the configuration.

@stale
Copy link

stale bot commented Jul 26, 2021

I marked this as stale due to inactivity. → More info

@stale stale bot added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jul 26, 2021
@stale stale bot removed the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Jun 12, 2023
@wegank wegank added the 2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md label Mar 19, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ma27 Ma27 Ma27 left review comments

Assignees
No one assigned
Labels
2.status: stale https://github.com/NixOS/nixpkgs/blob/master/.github/STALE-BOT.md 6.topic: nixos 8.has: module (update) 10.rebuild-darwin: 0 10.rebuild-linux: 1-10 10.rebuild-linux: 1 12. first-time contribution
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@Jakobu5 @Ma27 @wegank @Janik-Haag