From df554c6048f4514bd28447467c99e62a3067db6c Mon Sep 17 00:00:00 2001
From: Emelie Graven <emelie@graven.dev>
Date: Fri, 26 Nov 2021 14:51:00 +0100
Subject: [PATCH] Add Onion-Location header

---
 config/hosts/capetillo/services/nginx.nix | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/config/hosts/capetillo/services/nginx.nix b/config/hosts/capetillo/services/nginx.nix
index a9fa2d1..1b88d0d 100644
--- a/config/hosts/capetillo/services/nginx.nix
+++ b/config/hosts/capetillo/services/nginx.nix
@@ -6,6 +6,14 @@
 			enableACME = true;
 			forceSSL = true;
 			root = "/var/www/nixaalb.org/public";
+			extraConfig = ''
+				add_header Content-Security-Policy "script-src 'self'; object-src 'none'; base-uri 'none';" always;
+				add_header 'Referrer-Policy' 'same-origin';
+				add_header X-Frame-Options DENY;
+				add_header X-Content-Type-Options nosniff;
+				add_header X-XSS-Protection "1; mode=block";
+				add_header Onion-Location http://http://ag6mlqzpyswq3oogpnuykgllnv5gevjew6dshzmotwgnpo5jw2jqltad.onion$request_uri;
+    '';
 		};
 		"mta-sts.nixaalb.org" = {
 			enableACME = true;
@@ -19,11 +27,9 @@
 								port = 8080;
 							} ];
 			root = "/var/www/nixaalb.org/public";
+
 		};
 	};
 
 	
-	systemd.services.nginx.serviceConfig = {
-		PrivateTmp = lib.mkForce "false";
-	};
 }