New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
nixos/grocy: add new option to configure http security headers #110860
base: master
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Now that I think of it: I'm wondering if we should make gixy
more permissive on our end (cc @4z3)
@@ -24,6 +24,19 @@ in { | |||
''; | |||
}; | |||
|
|||
nginx.securityHeaders = mkOption { | |||
type = types.str; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be types.lines
. Otherwise it's not possible to append config add several places.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Changed in c84a308.
@@ -24,6 +24,19 @@ in { | |||
''; | |||
}; | |||
|
|||
nginx.securityHeaders = mkOption { | |||
type = types.str; | |||
default = '' |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not a good idea: as soon as one adds one other header, the other ones will be removed by default.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe the option should be types.bool
. If false
no headers will be included into the configuration. If true
a set of security headers will be included into the configuration.
I marked this as stale due to inactivity. → More info |
Motivation for this change
Manually adding HTTP Security Headers to the configuration with
services.nginx.virtualHosts.<grocy-hostname>.extraConfig
results in failed build becausegixy
will complain aboutProblem: [add_header_redefinition] Nested "add_header" drops parent headers.
.With the new option
nginx.securityHeaders
the user can choose witch headers should be implemented into the nginx configuration of the grocy vhost.The default value for this option is:
Things done
sandbox
innix.conf
on non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
./result/bin/
)nix path-info -S
before and after)