Commit 2a9a814279c3

Vincent Demeester <vincent@sbr.pm>
2026-01-07 09:34:45
feat(kerkouane): Configure Caddy for gitmal static git viewer
- Enable gitmal-generated HTML with relaxed CSP for inline content - Serve minified static git repository at git.sbr.pm - Simplify configuration without precompressed gzip Signed-off-by: Vincent Demeester <vincent@sbr.pm>
main
1 parent 044d1dc
Changed files (1)
systems
kerkouane
extra.nix
systems/kerkouane/extra.nix
@@ -32,6 +32,20 @@ let
       -Server
     }
   '';
+
+  # Security headers for git repository viewer (allow inline scripts/styles for gitmal)
+  gitSecurityHeaders = ''
+    header {
+      Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
+      X-Content-Type-Options "nosniff"
+      X-Frame-Options "SAMEORIGIN"
+      Referrer-Policy "strict-origin-when-cross-origin"
+      Permissions-Policy "geolocation=(), microphone=(), camera=(), payment=(), usb=()"
+      Content-Security-Policy "default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline'"
+      X-XSS-Protection "1; mode=block"
+      -Server
+    }
+  '';
 in
 {
   imports = [
@@ -438,21 +452,11 @@ in
       # Self-hosted git repositories (public only)
       "git.sbr.pm".extraConfig = ''
         root * /home/vincent/git/public
-
-        # Serve .html.gz files when .html is requested
-        @htmlgz {
-          path *.html
-          file {path}.gz
-        }
-        rewrite @htmlgz {path}.gz
-        header @htmlgz Content-Type "text/html; charset=utf-8"
-        header @htmlgz Content-Encoding gzip
-
         file_server browse {
           hide .fancyindex README.md HEADER.md
         }
 
-        ${securityHeaders}
+        ${gitSecurityHeaders}
       '';
     };
   };