nixos-config/machines/renge/services/element-web.nix

{ lib, pkgs, ... }:
let
  # This uses
  # https://github.com/vector-im/element-web#configuration-best-practices
  # but allows to disable the frame-ancestors rule for /usercontent/.
  mkSecurityHeaders = withFrameOptions: ''
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options SAMEORIGIN;
    add_header X-XSS-Protection "1; mode=block";
  '' + lib.optionalString withFrameOptions ''
    add_header Content-Security-Policy "frame-ancestors 'none'";
  '' + lib.optionalString (!withFrameOptions) ''
    add_header Content-Security-Policy "frame-ancestors 'self'";
  '';
in
{
  services.nginx.virtualHosts."chat.sbruder.de" = {
    enableACME = true;
    forceSSL = true;

    root = pkgs.element-web;

    extraConfig = mkSecurityHeaders true;
    locations."/usercontent/".extraConfig = mkSecurityHeaders false;

    # nixpkgs’s override mechanism doesn’t allow overriding of all options
    locations."=/config.chat.sbruder.de.json".alias = pkgs.writeText "config.chat.sbruder.de.json" (lib.generators.toJSON { } {
      default_server_config = {
        "m.homeserver" = {
          base_url = "https://matrix.sbruder.de";
          server_name = "matrix.sbruder.de";
        };
      };
      showLabsSettings = true;
      branding = {
        authFooterLinks = [ ];
      };
      piwik = false;
      defaultCountryCode = "DE";
      settingDefaults = {
        "UIFeature.feedback" = false;
        "UIFeature.shareSocial" = false;
        "UIFeature.identityServer" = false;
        "UIFeature.thirdPartyId" = false;
      };
      disable_custom_urls = true;
      jitsi.preferredDomain = "meet.jalr.de";
      disable_guests = true;
      disable_3pid_login = true;
      desktopBuilds.available = false;
    });
  };
}