chore: add caddy common defaults

2025-10-11 07:10:39 +02:00 · 2023-06-17 23:46:15 +02:00 · 2023-06-17 23:46:15 +02:00 · b682db7173
commit b682db7173
parent 9ed52a253c
4 changed files with 35 additions and 9 deletions
--- a/modules/extra.nix
+++ b/modules/extra.nix
@ -48,6 +48,29 @@ in {
      extraDomainNames = ["*.${domain}"];
    });

+    # Sensible defaults for caddy
+    services.caddy = mkIf config.services.caddy.enable {
+      globalConfig = ''
+        (common) {
+          encode zstd gzip
+
+          header {
+            # Enable HTTP Strict Transport Security (HSTS)
+            Strict-Transport-Security "max-age=63072000; includeSubdomains; preload";
+
+            X-XSS-Protection "1; mode=block"
+            X-Frame-Options "DENY"
+            X-Content-Type-Options "nosniff"
+
+            # Remove unnecessary information and remove Last-Modified in favor of ETag
+            -Server
+            -X-Powered-By
+            -Last-Modified
+          }
+        }
+      '';
+    };
+
    # Sensible defaults for nginx
    services.nginx = mkIf config.services.nginx.enable {
      recommendedBrotliSettings = true;