nginx: assert that HSTS header are set correctly

SuperSandro2000 · Apr 24, 2024 · 3aa5a47 · 3aa5a47
1 parent d1bb9ac
commit 3aa5a47
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/modules/nginx.nix b/modules/nginx.nix
@@ -88,6 +88,13 @@ in
   ];
 
   config = lib.mkIf cfg.enable {
+    assertions = lib.mkIf cfg.setHSTSHeader (lib.attrValues (lib.mapAttrs (host: hostConfig: {
+      assertion = hostConfig.root == null;
+      message = let
+        name = ''services.nginx.virtualHosts."${host}"'';
+      in "Use ${name}.locations./.root instead of ${name}.root to properly apply .locations.*.extraConfig set by services.nginx.setHSTSHeader";
+    }) cfg.virtualHosts));
+
     boot.kernel.sysctl = lib.mkIf cfg.tcpFastOpen {
       # enable tcp fastopen for outgoing and incoming connections
       "net.ipv4.tcp_fastopen" = 3;