nginx: assert that HSTS header are set correctly

2024-05-29 04:20:47 +02:00 · 2024-04-24 21:49:12 +02:00 · 2024-04-24 21:49:12 +02:00 · 3aa5a47abe
commit 3aa5a47abe
parent d1bb9acd4a
1 changed files with 7 additions and 0 deletions
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@ -88,6 +88,13 @@ in
  ];

  config = lib.mkIf cfg.enable {
+    assertions = lib.mkIf cfg.setHSTSHeader (lib.attrValues (lib.mapAttrs (host: hostConfig: {
+      assertion = hostConfig.root == null;
+      message = let
+        name = ''services.nginx.virtualHosts."${host}"'';
+      in "Use ${name}.locations./.root instead of ${name}.root to properly apply .locations.*.extraConfig set by services.nginx.setHSTSHeader";
+    }) cfg.virtualHosts));
+
    boot.kernel.sysctl = lib.mkIf cfg.tcpFastOpen {
      # enable tcp fastopen for outgoing and incoming connections
      "net.ipv4.tcp_fastopen" = 3;