gador/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/nextcloud: avoid duplicate X-Robots-Tag header, remove option nginx.recommendedHttpHeaders (#449186)

Browse Source
This commit is contained in:
Maximilian Bosch
2025-10-09 17:47:13 +00:00
committed by GitHub
parent 95209be5c6 ed6fed3410
commit cc1a69468d
1 changed files with 14 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
nixos/modules/services/web-apps/nextcloud.nix
View File

@@ -320,6 +320,9 @@ in
(lib.mkRemovedOptionModule [ "services" "nextcloud" "config" "dbport" ] '' (lib.mkRemovedOptionModule [ "services" "nextcloud" "config" "dbport" ] ''
Add port to services.nextcloud.config.dbhost instead. Add port to services.nextcloud.config.dbhost instead.
'') '')
(lib.mkRemovedOptionModule [ "services" "nextcloud" "nginx" "recommendedHttpHeaders" ] ''
This option has been removed to always follow upstream's security recommendation.
'')
(lib.mkRenamedOptionModule (lib.mkRenamedOptionModule
[ "services" "nextcloud" "logLevel" ] [ "services" "nextcloud" "logLevel" ]
[ "services" "nextcloud" "settings" "loglevel" ] [ "services" "nextcloud" "settings" "loglevel" ]
@@ -979,11 +982,6 @@ in
}; };
nginx = { nginx = {
recommendedHttpHeaders = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Enable additional recommended HTTP response headers";
};
hstsMaxAge = lib.mkOption { hstsMaxAge = lib.mkOption {
type = lib.types.ints.positive; type = lib.types.ints.positive;
default = 15552000; default = 15552000;
@@ -1534,19 +1532,23 @@ in
}; };
extraConfig = '' extraConfig = ''
index index.php index.html /index.php$request_uri; index index.php index.html /index.php$request_uri;
${lib.optionalString (cfg.nginx.recommendedHttpHeaders) '' add_header X-Content-Type-Options nosniff;
add_header X-Content-Type-Options nosniff; add_header X-Robots-Tag "noindex, nofollow";
add_header X-Robots-Tag "noindex, nofollow"; add_header X-Permitted-Cross-Domain-Policies none;
add_header X-Permitted-Cross-Domain-Policies none; add_header X-Frame-Options sameorigin;
add_header X-Frame-Options sameorigin; add_header Referrer-Policy no-referrer;
add_header Referrer-Policy no-referrer;
''}
${lib.optionalString (cfg.https) '' ${lib.optionalString (cfg.https) ''
add_header Strict-Transport-Security "max-age=${toString cfg.nginx.hstsMaxAge}; includeSubDomains" always; add_header Strict-Transport-Security "max-age=${toString cfg.nginx.hstsMaxAge}; includeSubDomains" always;
''} ''}
client_max_body_size ${cfg.maxUploadSize}; client_max_body_size ${cfg.maxUploadSize};
fastcgi_buffers 64 4K; fastcgi_buffers 64 4K;
fastcgi_hide_header X-Powered-By; fastcgi_hide_header X-Powered-By;
# mirror upstream htaccess file https://github.com/nextcloud/server/blob/v32.0.0/.htaccess#L40-L41
fastcgi_hide_header Referrer-Policy;
fastcgi_hide_header X-Content-Type-Options;
fastcgi_hide_header X-Frame-Options;
fastcgi_hide_header X-Permitted-Cross-Domain-Policies;
fastcgi_hide_header X-Robots-Tag;
gzip on; gzip on;
gzip_vary on; gzip_vary on;
gzip_comp_level 4; gzip_comp_level 4;