nixos/nextcloud: Optionally disable setting HTTP response headers

This commit introduces a new option `services.nextcloud.nginx.recommendedHttpHeaders` that can be used to optionally disable serving recommended HTTP Response Headers in nginx. This is especially useful if some headers are already configured elsewhere to be served in nginx and thus result in duplicate headers. Resolves #120223
2 years ago · 7109660b9a
parent 30cc7340f5
commit 7109660b9a
1 changed files with 16 additions and 8 deletions
--- a/nixos/modules/services/web-apps/nextcloud.nix
+++ b/nixos/modules/services/web-apps/nextcloud.nix
@ -505,6 +505,12 @@ in {
        The nextcloud-occ program preconfigured to target this Nextcloud instance.
      '';
    };
+
+    nginx.recommendedHttpHeaders = mkOption {
+      type = types.bool;
+      default = true;
+      description = "Enable additional recommended HTTP response headers";
+    };
  };

  config = mkIf cfg.enable (mkMerge [
@ -904,14 +910,16 @@ in {
        };
        extraConfig = ''
          index index.php index.html /index.php$request_uri;
-          add_header X-Content-Type-Options nosniff;
-          add_header X-XSS-Protection "1; mode=block";
-          add_header X-Robots-Tag none;
-          add_header X-Download-Options noopen;
-          add_header X-Permitted-Cross-Domain-Policies none;
-          add_header X-Frame-Options sameorigin;
-          add_header Referrer-Policy no-referrer;
-          add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+          ${optionalString (cfg.nginx.recommendedHttpHeaders) ''
+            add_header X-Content-Type-Options nosniff;
+            add_header X-XSS-Protection "1; mode=block";
+            add_header X-Robots-Tag none;
+            add_header X-Download-Options noopen;
+            add_header X-Permitted-Cross-Domain-Policies none;
+            add_header X-Frame-Options sameorigin;
+            add_header Referrer-Policy no-referrer;
+            add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
+          ''}
          client_max_body_size ${cfg.maxUploadSize};
          fastcgi_buffers 64 4K;
          fastcgi_hide_header X-Powered-By;